[MDEV-26822] ASAN heap-use-after-free / Valgrind invalid read in Binary_string::copy and __interceptor_memmove Created: 2021-10-13  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Character Sets, Server
Affects Version/s: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Unresolved Votes: 0
Labels: regression

Issue Links:
Duplicate
is duplicated by MDEV-32679 [Draft] ASAN errors in Binary_string:... Closed
Relates
relates to MDEV-29462 ASAN: heap-use-after-free in Binary_s... Confirmed

 Description    

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;

10.6 0144d1d2 ASAN

 
==1375312==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0000d8ab8 at pc 0x7f36c80d7f40 bp 0x7f36be0f3c10 sp 0x7f36be0f33b8
 
READ of size 32 at 0x60f0000d8ab8 thread T5
 
    #0 0x7f36c80d7f3f in __interceptor_memmove (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f)
 
    #1 0x55b56c134463 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250
 
    #2 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
 
    #3 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
 
    #4 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
 
    #5 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
 
    #6 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
 
    #7 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
 
    #8 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
 
    #9 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
 
    #10 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #11 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
 
    #12 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
 
    #13 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
 
    #14 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
 
    #15 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
 
    #16 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #17 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #18 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #19 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #20 0x7f36c762e292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x60f0000d8ab8 is located 136 bytes inside of 172-byte region [0x60f0000d8a30,0x60f0000d8adc)
 
freed by thread T5 here:
 
    #0 0x7f36c81447cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
 
    #1 0x55b56dbe9ed5 in free_memory /data/src/10.6/mysys/safemalloc.c:297
 
    #2 0x55b56dbe9312 in sf_free /data/src/10.6/mysys/safemalloc.c:203
 
    #3 0x55b56dbb6d1e in my_free /data/src/10.6/mysys/my_malloc.c:211
 
    #4 0x55b56bbd4097 in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227
 
    #5 0x55b56c132eb3 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44
 
    #6 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
 
    #7 0x55b56c134369 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247
 
    #8 0x55b56bdc88e5 in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
 
    #9 0x55b56c7b092c in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4988
 
    #10 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
 
    #11 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
 
    #12 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
 
    #13 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
 
    #14 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
 
    #15 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
 
    #16 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #17 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
 
    #18 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
 
    #19 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
 
    #20 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
 
    #21 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
 
    #22 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #23 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #24 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #25 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7f36c8144bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x55b56dbe8cc6 in sf_malloc /data/src/10.6/mysys/safemalloc.c:126
 
    #2 0x55b56dbb5ef8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
 
    #3 0x55b56c132f57 in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45
 
    #4 0x55b56bbfe414 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
 
    #5 0x55b56be90eea in Datetime::to_string(String*, unsigned int) const /data/src/10.6/sql/sql_type.h:2583
 
    #6 0x55b56be9993e in Item_datetimefunc::val_str(String*) /data/src/10.6/sql/item_timefunc.h:704
 
    #7 0x55b56c91926c in Item_func_md5::val_str_ascii(String*) /data/src/10.6/sql/item_strfunc.cc:163
 
    #8 0x55b56c918570 in Item_func::val_str_from_val_str_ascii(String*, String*) /data/src/10.6/sql/item_strfunc.cc:98
 
    #9 0x55b56c606127 in Item_str_ascii_func::val_str(String*) /data/src/10.6/sql/item_strfunc.h:94
 
    #10 0x55b56c9f665c in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172
 
    #11 0x55b56ca0e92b in Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const /data/src/10.6/sql/item_timefunc.cc:3275
 
    #12 0x55b56c5094a3 in Item_handled_func::val_str(String*) /data/src/10.6/sql/item_func.h:770
 
    #13 0x55b56c7b08fc in Item_copy_string::copy() /data/src/10.6/sql/item.cc:4986
 
    #14 0x55b56c046d32 in copy_fields(TMP_TABLE_PARAM*) /data/src/10.6/sql/sql_select.cc:25866
 
    #15 0x55b56c02e464 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:22515
 
    #16 0x55b56c02080a in do_select /data/src/10.6/sql/sql_select.cc:20552
 
    #17 0x55b56bfad4fa in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4737
 
    #18 0x55b56bfaa9db in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4515
 
    #19 0x55b56bfaef36 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4993
 
    #20 0x55b56bf7f40c in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #21 0x55b56bee4802 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6256
 
    #22 0x55b56bed32be in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3946
 
    #23 0x55b56beefac5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8030
 
    #24 0x55b56bec5b73 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1896
 
    #25 0x55b56bec2897 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1404
 
    #26 0x55b56c328a8c in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #27 0x55b56c328318 in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #28 0x55b56cf95298 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #29 0x7f36c7a5b608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f36c8071805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x55b56cf9024e in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:48
 
    #2 0x55b56cf9568b in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x55b56bbafd98 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x55b56bbc767e in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5922
 
    #5 0x55b56bbc7cfa in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5981
 
    #6 0x55b56bbc8067 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6043
 
    #7 0x55b56bbc8a65 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6167
 
    #8 0x55b56bbc6e7a in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5817
 
    #9 0x55b56bbaf0bc in main /data/src/10.6/sql/main.cc:34
 
    #10 0x7f36c75330b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0xa0f3f) in __interceptor_memmove
 
Shadow bytes around the buggy address:
 
  0x0c1e80013100: 00 04 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
 
  0x0c1e80013110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
 
  0x0c1e80013120: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c1e80013130: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa
 
  0x0c1e80013140: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
 
=>0x0c1e80013150: fd fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa
 
  0x0c1e80013160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1e80013170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1e80013180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1e80013190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1e800131a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1375312==ABORTING
 
211014  1:29:35 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.6.5-MariaDB-debug-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=1
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63858 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b00007e288
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f36be0f6cd0 thread_stack 0x100000
 
??:0(__interceptor_tcgetattr)[0x7f36c80a3d30]
 
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(my_print_stacktrace+0xec)[0x55b56dbc79b5]
 
/mnt-hd8t/bld/10.6-asan-nightly/bin/mariadbd(handle_fatal_signal+0xa22)[0x55b56c72e44f]
 
sigaction.c:0(__restore_rt)[0x7f36c7a673c0]
 
??:0(gsignal)[0x7f36c755218b]
 
??:0(abort)[0x7f36c7531859]
 
??:0(__sanitizer_set_report_fd)[0x7f36c81626a2]
 
??:0(__sanitizer_get_module_and_offset_for_pc)[0x7f36c816d24c]
 
??:0(__sanitizer_ptr_cmp)[0x7f36c814e8ec]
 
??:0(__asan_on_error)[0x7f36c814e363]
 
??:0(memmove)[0x7f36c80d7f5f]
 
sql/sql_string.cc:251(Binary_string::copy(Binary_string const&))[0x55b56c134464]
 
sql/sql_string.h:881(String::copy(String const&))[0x55b56bdc88e6]
 
sql/item.cc:4989(Item_copy_string::copy())[0x55b56c7b092d]
 
sql/sql_select.cc:25865(copy_fields(TMP_TABLE_PARAM*))[0x55b56c046d33]
 
sql/sql_select.cc:22516(end_send_group(JOIN*, st_join_table*, bool))[0x55b56c02e465]
 
sql/sql_select.cc:20552(do_select(JOIN*, Procedure*))[0x55b56c02080b]
 
sql/sql_select.cc:4737(JOIN::exec_inner())[0x55b56bfad4fb]
 
sql/sql_select.cc:4516(JOIN::exec())[0x55b56bfaa9dc]
 
sql/sql_select.cc:4995(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55b56bfaef37]
 
sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55b56bf7f40d]
 
sql/sql_parse.cc:6256(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55b56bee4803]
 
sql/sql_parse.cc:3946(mysql_execute_command(THD*, bool))[0x55b56bed32bf]
 
sql/sql_parse.cc:8030(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55b56beefac6]
 
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55b56bec5b74]
 
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x55b56bec2898]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55b56c328a8d]
 
sql/sql_connect.cc:1314(handle_one_connection)[0x55b56c328319]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55b56cf95299]
 
nptl/pthread_create.c:478(start_thread)[0x7f36c7a5b609]
 
??:0(clone)[0x7f36c762e293]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b0000852a8): SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f
 
 
 
Connection ID (thread ID): 4
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /dev/shm/var_auto_W9Up/mysqld.1/data
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        unlimited            unlimited            bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             385736               385736               processes 
Max open files            1024                 1024                 files     
Max locked memory         67108864             67108864             bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       385736               385736               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: |/usr/share/apport/apport %p %s %c %d %P %E

10.6 0144d1d2 Valgrind

 
==1375468== Thread 6:
 
==1375468== Invalid read of size 8
 
==1375468==    at 0x4842A7C: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==    by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
 
==1375468==    by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
 
==1375468==    by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
 
==1375468==    by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
 
==1375468==  Address 0xc47f098 is 24 bytes inside a block of size 56 free'd
 
==1375468==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172BA65: my_free (my_malloc.c:211)
 
==1375468==    by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
 
==1375468==    by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==  Block was alloc'd at
 
==1375468==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172B276: my_malloc (my_malloc.c:90)
 
==1375468==    by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
 
==1375468==    by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
 
==1375468==    by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
 
==1375468==    by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
 
==1375468==    by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
 
==1375468==    by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
 
==1375468==    by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
 
==1375468==    by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
 
==1375468==    by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468== Invalid read of size 8
 
==1375468==    at 0x4842A87: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==    by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
 
==1375468==    by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
 
==1375468==    by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
 
==1375468==    by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
 
==1375468==  Address 0xc47f0a0 is 32 bytes inside a block of size 56 free'd
 
==1375468==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172BA65: my_free (my_malloc.c:211)
 
==1375468==    by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
 
==1375468==    by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==  Block was alloc'd at
 
==1375468==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172B276: my_malloc (my_malloc.c:90)
 
==1375468==    by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
 
==1375468==    by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
 
==1375468==    by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
 
==1375468==    by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
 
==1375468==    by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
 
==1375468==    by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
 
==1375468==    by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
 
==1375468==    by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
 
==1375468==    by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468== Invalid read of size 8
 
==1375468==    at 0x4842A8F: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==    by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
 
==1375468==    by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
 
==1375468==    by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
 
==1375468==    by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
 
==1375468==  Address 0xc47f0a8 is 40 bytes inside a block of size 56 free'd
 
==1375468==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172BA65: my_free (my_malloc.c:211)
 
==1375468==    by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
 
==1375468==    by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==  Block was alloc'd at
 
==1375468==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172B276: my_malloc (my_malloc.c:90)
 
==1375468==    by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
 
==1375468==    by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
 
==1375468==    by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
 
==1375468==    by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
 
==1375468==    by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
 
==1375468==    by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
 
==1375468==    by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
 
==1375468==    by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
 
==1375468==    by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468== Invalid read of size 8
 
==1375468==    at 0x4842A97: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0xB35B3F: Binary_string::copy(Binary_string const&) (sql_string.cc:250)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==    by 0xA4950A: mysql_execute_command(THD*, bool) (sql_parse.cc:3946)
 
==1375468==    by 0xA570F2: mysql_parse(THD*, char*, unsigned int, Parser_state*) (sql_parse.cc:8030)
 
==1375468==    by 0xA43522: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) (sql_parse.cc:1896)
 
==1375468==    by 0xA41EBE: do_command(THD*, bool) (sql_parse.cc:1404)
 
==1375468==  Address 0xc47f0b0 is 48 bytes inside a block of size 56 free'd
 
==1375468==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172BA65: my_free (my_malloc.c:211)
 
==1375468==    by 0x8FB670: Binary_string::free_buffer() (sql_string.h:227)
 
==1375468==    by 0xB3521B: Binary_string::real_alloc(unsigned long) (sql_string.cc:44)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xB35AF4: Binary_string::copy(Binary_string const&) (sql_string.cc:247)
 
==1375468==    by 0x9D7137: String::copy(String const&) (sql_string.h:880)
 
==1375468==    by 0xE2164C: Item_copy_string::copy() (item.cc:4988)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)
 
==1375468==    by 0xAA2836: JOIN::exec_inner() (sql_select.cc:4737)
 
==1375468==    by 0xAA18AC: JOIN::exec() (sql_select.cc:4515)
 
==1375468==    by 0xAA31E6: mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:4993)
 
==1375468==    by 0xA923EA: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:545)
 
==1375468==    by 0xA522A2: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6256)
 
==1375468==  Block was alloc'd at
 
==1375468==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1375468==    by 0x172B276: my_malloc (my_malloc.c:90)
 
==1375468==    by 0xB3524A: Binary_string::real_alloc(unsigned long) (sql_string.cc:45)
 
==1375468==    by 0x90D1DF: Binary_string::alloc(unsigned long) (sql_string.h:698)
 
==1375468==    by 0xA2A702: Datetime::to_string(String*, unsigned int) const (sql_type.h:2583)
 
==1375468==    by 0xA2E762: Item_datetimefunc::val_str(String*) (item_timefunc.h:704)
 
==1375468==    by 0xEC0648: Item_func_md5::val_str_ascii(String*) (item_strfunc.cc:163)
 
==1375468==    by 0xEBFFDF: Item_func::val_str_from_val_str_ascii(String*, String*) (item_strfunc.cc:98)
 
==1375468==    by 0xD5FD27: Item_str_ascii_func::val_str(String*) (item_strfunc.h:94)
 
==1375468==    by 0xF18BF5: Item_char_typecast::val_str_generic(String*) (item_timefunc.cc:3172)
 
==1375468==    by 0xF22D86: Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const (item_timefunc.cc:3275)
 
==1375468==    by 0xCE065C: Item_handled_func::val_str(String*) (item_func.h:770)
 
==1375468==    by 0xE2161C: Item_copy_string::copy() (item.cc:4986)
 
==1375468==    by 0xADCA81: copy_fields(TMP_TABLE_PARAM*) (sql_select.cc:25866)
 
==1375468==    by 0xAD3FCD: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:22515)
 
==1375468==    by 0xACF3A8: do_select(JOIN*, Procedure*) (sql_select.cc:20552)

Non-instrumented builds don't crash, but a debug build returns garbage:

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;
 
f	COUNT(*)
 
�������������������������������	1

Reproducible on 10.6-10.7, not reproducible on 10.5.
The failure appeared in 10.6 after this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
 
Author: Monty <monty@mariadb.org>
 
Date:   Wed Sep 16 11:23:50 2020 +0300
 
 
 
    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()
 
    
    The problem was that when one used String::alloc() to allocate a string,



 Comments   
Comment by Elena Stepanova [ 2022-05-12 ]

Another one, started from the same commit

CREATE TABLE t (f VARCHAR(512) COMPRESSED);
 
INSERT INTO t VALUES (REPEAT('a',357)),(REPEAT('b',360));
 
SELECT CASE (BINARY f) WHEN 'foo' THEN 1 END AS x FROM t GROUP BY x;
 
 
 
# Cleanup
 
DROP TABLE t;

10.6 7da0f30c

 
==562164==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000210d8 at pc 0x7f9539576541 bp 0x7f952fc9aa80 sp 0x7f952fc9a230
 
READ of size 360 at 0x6130000210d8 thread T5
 
    #0 0x7f9539576540 in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789
 
    #1 0x56302b4ebc03 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:250
 
    #2 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
 
    #3 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727
 
    #4 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
 
    #5 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
 
    #6 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
 
    #7 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
 
    #8 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
 
    #9 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
 
    #10 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315
 
    #11 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
 
    #12 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
 
    #13 0x56302b3b621a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21147
 
    #14 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
 
    #15 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
 
    #16 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
 
    #17 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012
 
    #18 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #19 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
 
    #20 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #21 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #22 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #23 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #24 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #25 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #26 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #27 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477
 
    #28 0x7f9538c4fdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
 
 
 
0x6130000210d8 is located 24 bytes inside of 384-byte region [0x6130000210c0,0x613000021240)
 
freed by thread T5 here:
 
    #0 0x7f95395e6b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
 
    #1 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:227
 
    #2 0x56302b4eb12e in Binary_string::free_buffer() /data/src/10.6/sql/sql_string.h:222
 
    #3 0x56302b4eb12e in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:44
 
    #4 0x56302b4ebb46 in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
 
    #5 0x56302b4ebb46 in Binary_string::copy(Binary_string const&) /data/src/10.6/sql/sql_string.cc:247
 
    #6 0x56302bb26b2f in String::copy(String const&) /data/src/10.6/sql/sql_string.h:880
 
    #7 0x56302bb26b2f in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1727
 
    #8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
 
    #9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
 
    #10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
 
    #11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
 
    #12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
 
    #13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
 
    #14 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315
 
    #15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
 
    #16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
 
    #17 0x56302b3b621a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21147
 
    #18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
 
    #19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
 
    #20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
 
    #21 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012
 
    #22 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
 
    #24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #25 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7f95395e6e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x56302caaafa8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
 
    #2 0x56302b4eb08c in Binary_string::real_alloc(unsigned long) /data/src/10.6/sql/sql_string.cc:45
 
    #3 0x56302b9fd41a in Binary_string::alloc(unsigned long) /data/src/10.6/sql/sql_string.h:698
 
    #4 0x56302b9fd41a in uncompress_zlib /data/src/10.6/sql/field_comp.cc:110
 
    #5 0x56302b9c13ef in Field_longstr::uncompress(String*, String*, unsigned char const*, unsigned int) const /data/src/10.6/sql/field.cc:8424
 
    #6 0x56302bd75954 in Item_char_typecast::val_str_generic(String*) /data/src/10.6/sql/item_timefunc.cc:3172
 
    #7 0x56302bb26a7c in cmp_item_sort_string::store_value(Item*) /data/src/10.6/sql/item_cmpfunc.h:1722
 
    #8 0x56302badb3e1 in Predicant_to_list_comparator::cmp_arg(Item_args*, unsigned int) /data/src/10.6/sql/item_cmpfunc.h:2068
 
    #9 0x56302badb3e1 in Predicant_to_list_comparator::cmp(Item_args*, unsigned int*, bool*) /data/src/10.6/sql/item_cmpfunc.h:2259
 
    #10 0x56302badb3e1 in Item_func_case_simple::find_item() /data/src/10.6/sql/item_cmpfunc.cc:3013
 
    #11 0x56302bacefe5 in Item_func_case::int_op() /data/src/10.6/sql/item_cmpfunc.cc:3051
 
    #12 0x56302ba9701f in Item::save_int_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6814
 
    #13 0x56302ba5eec0 in Item::save_in_field(Field*, bool) /data/src/10.6/sql/item.cc:6824
 
    #14 0x56302b408490 in copy_funcs(Item**, THD const*) /data/src/10.6/sql/sql_select.cc:26315
 
    #15 0x56302b4087ca in end_write /data/src/10.6/sql/sql_select.cc:22593
 
    #16 0x56302b378ac6 in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21338
 
    #17 0x56302b3b60d4 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:21108
 
    #18 0x56302b4578e1 in do_select /data/src/10.6/sql/sql_select.cc:20653
 
    #19 0x56302b4578e1 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4755
 
    #20 0x56302b4593f2 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4533
 
    #21 0x56302b451cfb in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5012
 
    #22 0x56302b4537d5 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #23 0x56302b2ca5a0 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
 
    #24 0x56302b2f3137 in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #25 0x56302b2f808a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #26 0x56302b2fd6c4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #27 0x56302b3030c5 in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #28 0x56302b68807d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #29 0x56302b6885bc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #30 0x56302c1c096b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #31 0x7f9539052ea6 in start_thread nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f95395922a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
 
    #1 0x56302c1c0be9 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:52
 
    #2 0x56302c1c0be9 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x56302b05dfcd in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x56302b05dfcd in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5970
 
    #5 0x56302b069747 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6091
 
    #6 0x56302b06a2df in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6215
 
    #7 0x56302b06bb69 in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5865
 
    #8 0x7f9538b78d09 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:789 in __interceptor_memmove
 
Shadow bytes around the buggy address:
 
  0x0c267fffc1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c267fffc1d0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
 
  0x0c267fffc1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c267fffc1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c267fffc200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
 
=>0x0c267fffc210: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
 
  0x0c267fffc220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c267fffc230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c267fffc240: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
 
  0x0c267fffc250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c267fffc260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc

Comment by Roel Van de Paar [ 2022-09-05 ]

The original testcase

SELECT CAST(MD5(NOW()) AS CHAR) AS f, COUNT(*) FROM DUAL GROUP BY f;

Does not fail for me in any release.

The second testcase fails in 10.6 to 10.11.

ASAN|heap-use-after-free|sql/sql_string.cc|__interceptor_memmove|Binary_string::copy|String::copy|cmp_item_sort_string::store_value
 
ASAN|heap-use-after-free|sql/sql_string.cc|memmove|Binary_string::copy|String::copy|cmp_item_sort_string::store_value

Comment by Roel Van de Paar [ 2023-08-04 ]

This testcase:

SET NAMES DEFAULT;
 
SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*);

Currently (builds as of 1 Aug 23) produces these stacks:

ASAN|heap-use-after-free|sql/sql_string.cc|__interceptor_memmove|Binary_string::copy|String::copy|Item_copy_string::copy
 
ASAN|heap-use-after-free|sql/sql_string.cc|memmove|Binary_string::copy|String::copy|Item_copy_string::copy

Bug confirmed present in:
MariaDB: 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.10.6 (dbg), 10.11.5 (dbg), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt)

11.1.2 adc13e2c167c90f4b287efa7b1165c68d441be8d (Debug)

 
11.1.2-dbg>SET NAMES DEFAULT;
 
Query OK, 0 rows affected (0.000 sec)
 
 
 
11.1.2-dbg>SELECT CAST(MD5 (NOW()) AS CHAR) AS f,COUNT(*);
 
+----------------------------------+----------+
 
| f                                | COUNT(*) |
 
+----------------------------------+----------+
 
| ��������������������������������                                 |        1 |
 
+----------------------------------+----------+
 
1 row in set (0.000 sec)

Comment by Roel Van de Paar [ 2023-08-04 ] 

SELECT CAST(MD5 (NOW()) AS CHAR);

Will give 

1d50fa80cfab2fe8da3b78e9e254d613

However, 

SELECT '1d50fa80cfab2fe8da3b78e9e254d613' AS f,COUNT(*);

Does not produce the same heap-use-after-free.

Generated at Thu Feb 08 09:48:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.