[MDEV-28267] ASAN heap-use-after-free in Item_sp::func_name_cstring Created: 2022-04-08  Updated: 2022-04-09  Resolved: 2022-04-09

Status: Closed
Project: MariaDB Server
Component/s: Stored routines
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s: 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Relates
relates to MDEV-25243 ASAN heap-use-after-free in Item_func... Closed
relates to MDEV-28166 sql_mode=ORACLE: fully qualified pack... Closed

 Description   

The test case below uses a function from sys schema, and on some reason I can't get rid of it (e.g. by creating a similar custom function). Because of this, the test case is not applicable to earlier versions. However the failure started happening after a merge into 10.6, and the most suspicious commit belongs to 10.3. Please adjust affected/fix version if needed after analysis.

The test case is non-deterministic, run with --repeat=N. It usually fails for me within 10 attempts on a non-debug ASAN build. It can vary on different machines and builds. Hopefully after analysis both problems (non-determinism and the use of sys schema) will be solved, and a better test case will be added to the regression suite instead.

--source include/have_innodb.inc
 
 
 
--connect (con1,localhost,root,,test)
 
--send
 
  ANALYZE FORMAT=JSON SELECT * FROM INFORMATION_SCHEMA.COLUMNS, information_schema.INNODB_LOCKS, performance_schema.table_io_waits_summary_by_index_usage
 
  WHERE sys.format_time(SUM_TIMER_INSERT) < ordinal_position;
 
 
 
--connection default
 
SELECT * FROM INFORMATION_SCHEMA.TABLES LIMIT 1;
 
CREATE PROCEDURE sp() BEGIN END;
 
 
 
--connection con1
 
--reap
 
 
 
# Cleanup
 
--disconnect con1
 
--connection default
 
DROP PROCEDURE sp;

10.6 4e1ca388

 
==3514552==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250005b91c0 at pc 0x557bbc2e2243 bp 0x7fd1eccbbb40 sp 0x7fd1eccbbb38
 
READ of size 8 at 0x6250005b91c0 thread T20
 
    #0 0x557bbc2e2242 in Item_sp::func_name_cstring(THD*) const /data/src/10.6/sql/item.cc:2777
 
    #1 0x557bbc416e25 in Item_func::print(String*, enum_query_type) /data/src/10.6/sql/item_func.cc:608
 
    #2 0x557bbc4173d2 in Item_func::print_op(String*, enum_query_type) /data/src/10.6/sql/item_func.cc:630
 
    #3 0x557bbbf47b9a in write_item /data/src/10.6/sql/sql_explain.cc:1515
 
    #4 0x557bbbf5d594 in Explain_table_access::print_explain_json(Explain_query*, Json_writer*, bool) /data/src/10.6/sql/sql_explain.cc:1875
 
    #5 0x557bbbf5e94b in Explain_basic_join::print_explain_json_interns(Explain_query*, Json_writer*, bool) /data/src/10.6/sql/sql_explain.cc:1100
 
    #6 0x557bbbf5f071 in Explain_select::print_explain_json(Explain_query*, Json_writer*, bool) /data/src/10.6/sql/sql_explain.cc:999
 
    #7 0x557bbbf4beee in Explain_query::print_explain_json(select_result_sink*, bool) /data/src/10.6/sql/sql_explain.cc:223
 
    #8 0x557bbbf4c8ed in Explain_query::send_explain(THD*) /data/src/10.6/sql/sql_explain.cc:175
 
    #9 0x557bbbb2d8b2 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6283
 
    #10 0x557bbbb5643f in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #11 0x557bbbb5b3aa in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #12 0x557bbbb609e4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #13 0x557bbbb663dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #14 0x557bbbee968d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #15 0x557bbbee9bcc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #16 0x557bbca20e9b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #17 0x7fd1ffa32ea6 in start_thread nptl/pthread_create.c:477
 
    #18 0x7fd1ff62fdee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
 
 
 
0x6250005b91c0 is located 192 bytes inside of 8240-byte region [0x6250005b9100,0x6250005bb130)
 
freed by thread T20 here:
 
    #0 0x7fd1fffc6b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
 
    #1 0x557bbd2fc043 in free_root /data/src/10.6/mysys/my_alloc.c:410
 
    #2 0x557bbb9395d1 in sp_head::destroy(sp_head*) /data/src/10.6/sql/sp_head.cc:521
 
    #3 0x557bbd2d847e in my_hash_delete /data/src/10.6/mysys/hash.c:632
 
    #4 0x557bbb93021d in sp_cache::remove(sp_head*) /data/src/10.6/sql/sp_cache.cc:59
 
    #5 0x557bbb93021d in sp_cache_flush_obsolete(sp_cache**, sp_head**) /data/src/10.6/sql/sp_cache.cc:236
 
    #6 0x557bbc75f04a in Sp_handler::sp_cache_routine(THD*, Database_qualified_name const*, bool, sp_head**) const /data/src/10.6/sql/sp.cc:2829
 
    #7 0x557bbc76a45f in Sroutine_hash_entry::sp_cache_routine(THD*, bool, sp_head**) const /data/src/10.6/sql/sp.cc:2787
 
    #8 0x557bbb9ecee6 in open_and_process_routine /data/src/10.6/sql/sql_base.cc:3446
 
    #9 0x557bbb9ecee6 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.6/sql/sql_base.cc:4364
 
    #10 0x557bbb9efa17 in open_tables /data/src/10.6/sql/sql_base.h:265
 
    #11 0x557bbb9efa17 in open_normal_and_derived_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /data/src/10.6/sql/sql_base.cc:5329
 
    #12 0x557bbb9efc08 in open_tables_only_view_structure(THD*, TABLE_LIST*, bool) /data/src/10.6/sql/sql_base.cc:5380
 
    #13 0x557bbbcc8bf7 in fill_schema_table_by_open /data/src/10.6/sql/sql_show.cc:4675
 
    #14 0x557bbbd1f7f0 in get_all_tables(THD*, TABLE_LIST*, Item*) /data/src/10.6/sql/sql_show.cc:5320
 
    #15 0x557bbbd254e3 in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.6/sql/sql_show.cc:8844
 
    #16 0x557bbbcb9944 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4710
 
    #17 0x557bbbcbca32 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4531
 
    #18 0x557bbbcb533b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:5010
 
    #19 0x557bbbcb6e15 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:545
 
    #20 0x557bbbb2e2a7 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6271
 
    #21 0x557bbbb5643f in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #22 0x557bbbb5b3aa in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #23 0x557bbbb609e4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #24 0x557bbbb663dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #25 0x557bbbee968d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #26 0x557bbbee9bcc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #27 0x557bbca20e9b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #28 0x7fd1ffa32ea6 in start_thread nptl/pthread_create.c:477
 
 
 
previously allocated by thread T20 here:
 
    #0 0x7fd1fffc6e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x557bbd30ebe8 in my_malloc /data/src/10.6/mysys/my_malloc.c:90
 
    #2 0x557bbd2fb1e6 in init_alloc_root /data/src/10.6/mysys/my_alloc.c:81
 
    #3 0x557bbbe6f794 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/src/10.6/sql/thr_malloc.cc:64
 
    #4 0x557bbb93afb5 in sp_head::create(sp_package*, Sp_handler const*, enum_sp_aggregate_type) /data/src/10.6/sql/sp_head.cc:500
 
    #5 0x557bbbaeae06 in LEX::make_sp_head(THD*, sp_name const*, Sp_handler const*, enum_sp_aggregate_type) /data/src/10.6/sql/sql_lex.cc:7364
 
    #6 0x557bbbb03e13 in LEX::stmt_create_stored_function_start(DDL_options_st const&, enum_sp_aggregate_type, sp_name const*) /data/src/10.6/sql/sql_lex.cc:11412
 
    #7 0x557bbc144d99 in MYSQLparse(THD*) /data/src/10.6/sql/sql_yacc.yy:18432
 
    #8 0x557bbbb4aeec in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /data/src/10.6/sql/sql_parse.cc:10436
 
    #9 0x557bbc758c62 in sp_compile /data/src/10.6/sql/sp.cc:877
 
    #10 0x557bbc75d585 in Sp_handler::db_load_routine(THD*, Database_qualified_name const*, sp_head**, unsigned long long, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_sp_chistics const&, AUTHID const&, long long, long long, sp_package*, Stored_program_creation_ctx*) const /data/src/10.6/sql/sp.cc:1004
 
    #11 0x557bbc75e941 in Sp_handler::db_find_routine(THD*, Database_qualified_name const*, sp_head**) const /data/src/10.6/sql/sp.cc:766
 
    #12 0x557bbc75ee79 in Sp_handler::db_find_and_cache_routine(THD*, Database_qualified_name const*, sp_head**) const /data/src/10.6/sql/sp.cc:790
 
    #13 0x557bbc75f07c in Sp_handler::sp_cache_routine(THD*, Database_qualified_name const*, bool, sp_head**) const /data/src/10.6/sql/sp.cc:2834
 
    #14 0x557bbc76a45f in Sroutine_hash_entry::sp_cache_routine(THD*, bool, sp_head**) const /data/src/10.6/sql/sp.cc:2787
 
    #15 0x557bbb9ecee6 in open_and_process_routine /data/src/10.6/sql/sql_base.cc:3446
 
    #16 0x557bbb9ecee6 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.6/sql/sql_base.cc:4364
 
    #17 0x557bbb9ef40e in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.6/sql/sql_base.cc:5265
 
    #18 0x557bbbb2d61e in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.6/sql/sql_base.h:509
 
    #19 0x557bbbb2d61e in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6192
 
    #20 0x557bbbb5643f in mysql_execute_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:3961
 
    #21 0x557bbbb5b3aa in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8045
 
    #22 0x557bbbb609e4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1912
 
    #23 0x557bbbb663dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1409
 
    #24 0x557bbbee968d in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1418
 
    #25 0x557bbbee9bcc in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #26 0x557bbca20e9b in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #27 0x7fd1ffa32ea6 in start_thread nptl/pthread_create.c:477
 
 
 
Thread T20 created by T0 here:
 
    #0 0x7fd1fff722a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
 
    #1 0x557bbca21119 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:52
 
    #2 0x557bbca21119 in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x557bbb8c199d in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x557bbb8c199d in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5934
 
    #5 0x557bbb8cd127 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6055
 
    #6 0x557bbb8cdcbf in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6179
 
    #7 0x557bbb8cf54e in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5829
 
    #8 0x7fd1ff558d09 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.6/sql/item.cc:2777 in Item_sp::func_name_cstring(THD*) const
 
Shadow bytes around the buggy address:
 
  0x0c4a800af1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4a800af1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4a800af200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4a800af210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4a800af220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c4a800af230: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
 
  0x0c4a800af240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800af250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800af260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800af270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a800af280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==3514552==ABORTING
 
220408 14:59:47 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.6.8-MariaDB-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=2
 
max_threads=153
 
thread_count=2
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63735 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x62b0000ee218
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7fd1eccbe990 thread_stack 0x5fc00
 
sanitizer_common/sanitizer_common_interceptors.inc:4101(__interceptor_backtrace.part.0)[0x7fd1fff60df1]
 
mysys/stacktrace.c:213(my_print_stacktrace)[0x557bbd3176b6]
 
sql/signal_handler.cc:223(handle_fatal_signal)[0x557bbc271db4]
 
sigaction.c:0(__restore_rt)[0x7fd1ffa3e140]
 
linux/raise.c:51(__GI_raise)[0x7fd1ff56dce1]
 
stdlib/abort.c:81(__GI_abort)[0x7fd1ff557537]
 
sanitizer_common/sanitizer_posix_libcdep.cpp:149(__sanitizer::Abort())[0x7fd1fffe211b]
 
sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7fd1fffecce8]
 
asan/asan_report.cpp:186(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7fd1fffcf44c]
 
asan/asan_report.cpp:474(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7fd1fffced47]
 
asan/asan_rtl.cpp:120(__asan_report_load8)[0x7fd1fffcf938]
 
sql/sql_string.h:706(Binary_string::realloc(unsigned long))[0x557bbc2e2243]
 
sql/item_func.cc:608(Item_func::print(String*, enum_query_type))[0x557bbc416e26]
 
sql/sql_string.h:586(Binary_string::append_char(char))[0x557bbc4173d3]
 
sql/sql_explain.cc:1517(write_item(Json_writer*, Item*))[0x557bbbf47b9b]
 
sql/sql_explain.cc:1878(Explain_table_access::print_explain_json(Explain_query*, Json_writer*, bool))[0x557bbbf5d595]
 
sql/sql_explain.cc:1102(Explain_basic_join::print_explain_json_interns(Explain_query*, Json_writer*, bool))[0x557bbbf5e94c]
 
sql/sql_explain.cc:1004(Explain_select::print_explain_json(Explain_query*, Json_writer*, bool))[0x557bbbf5f072]
 
sql/sql_explain.cc:235(Explain_query::print_explain_json(select_result_sink*, bool))[0x557bbbf4beef]
 
sql/sql_explain.cc:182(Explain_query::send_explain(THD*))[0x557bbbf4c8ee]
 
sql/sql_parse.cc:6283(execute_sqlcom_select(THD*, TABLE_LIST*))[0x557bbbb2d8b3]
 
sql/sql_parse.cc:3961(mysql_execute_command(THD*, bool))[0x557bbbb56440]
 
sql/sql_parse.cc:8062(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x557bbbb5b3ab]
 
sql/sql_parse.cc:1914(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x557bbbb609e5]
 
sql/sql_parse.cc:1411(do_command(THD*, bool))[0x557bbbb663de]
 
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x557bbbee968e]
 
sql/sql_connect.cc:1312(handle_one_connection)[0x557bbbee9bcd]
 
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x557bbca20e9c]
 
nptl/pthread_create.c:478(start_thread)[0x7fd1ffa32ea7]
 
x86_64/clone.S:97(__GI___clone)[0x7fd1ff62fdef]
 
 
 
Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x62b0000f53d0): ANALYZE FORMAT=JSON SELECT * FROM INFORMATION_SCHEMA.COLUMNS, information_schema.INNODB_LOCKS, performance_schema.table_io_waits_summary_by_index_usage
 
WHERE sys.format_time(SUM_TIMER_INSERT) < ordinal_position
 
 
 
Connection ID (thread ID): 10
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off
 
 
 
The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
 
information that should help you find out what is causing the crash.
 
Writing a core file...
 
Working directory at /dev/shm/var_auto_WM2l/mysqld.1/data
 
Resource Limits:
 
Limit                     Soft Limit           Hard Limit           Units     
Max cpu time              unlimited            unlimited            seconds   
Max file size             unlimited            unlimited            bytes     
Max data size             unlimited            unlimited            bytes     
Max stack size            8388608              unlimited            bytes     
Max core file size        unlimited            unlimited            bytes     
Max resident set          unlimited            unlimited            bytes     
Max processes             385901               385901               processes 
Max open files            1024                 1024                 files     
Max locked memory         12659513856          12659513856          bytes     
Max address space         unlimited            unlimited            bytes     
Max file locks            unlimited            unlimited            locks     
Max pending signals       385901               385901               signals   
Max msgqueue size         819200               819200               bytes     
Max nice priority         0                    0                    
Max realtime priority     0                    0                    
Max realtime timeout      unlimited            unlimited            us        
Core pattern: core

The failure started happening on 10.6 after this merge:

commit b242c3141f263f9f73f179ad5edd385906109262
 
Merge: b2fa874e462 c14f60a72f2
 
Author: Marko Mäkelä
 
Date:   Tue Mar 29 16:16:21 2022 +0300
 
 
 
    Merge 10.5 into 10.6

I think this commit has something to do with it:

commit 6437b304048d0b42e6b2b8f59631ea04bd3c2891
 
Author: Alexander Barkov
 
Date:   Fri Mar 25 07:05:08 2022 +0400
 
 
 
    MDEV-28166 sql_mode=ORACLE: fully qualified package function calls do not work: db.pkg.func()

but I cannot verify the claim.

Set to Critical as a recent non-debug regression.

Further modifications of the test case change the failure to already known MDEV-25243 (same test case as above, but without information_schema.INNODB_LOCKS ub ANALYZE.

 Comments   
Comment by Alexander Barkov [ 2022-04-09 ]

Repeatable with this test (without the sys schema) in ASAN builds in 10.3 and 10.4:

CREATE TABLE t1 (a INT);
 
CREATE FUNCTION test.f1(a INT) RETURNS TEXT RETURN '';
 
CREATE FUNCTION test.f2(a INT) RETURNS TEXT RETURN '';
 
CREATE VIEW v1 AS SELECT f1(a) AS v1 FROM t1;
 
CREATE VIEW v2 AS SELECT f1(a) AS v2 FROM t1;
 
CREATE VIEW v3 AS SELECT f1(a) AS v3 FROM t1;
 
CREATE VIEW v4 AS SELECT f1(a) AS v4 FROM t1;
 
 
 
--disable_result_log
 
 
 
DELIMITER $$;
 
--send
 
BEGIN NOT ATOMIC
 
  FOR i IN 1..10
 
  DO
 
    ANALYZE FORMAT=JSON SELECT *
 
      FROM INFORMATION_SCHEMA.COLUMNS
 
    WHERE
 
      TABLE_SCHEMA='test'
 
    AND
 
      TABLE_NAME LIKE 'v%'
 
    AND
 
      (SLEEP(0.01)=0 OR f1(ordinal_position) >'')
 
    ORDER BY TABLE_NAME;
 
  END FOR;
 
END;
 
$$
 
DELIMITER ;$$
 
 
 
--connect (con1,localhost,root,,test)
 
CREATE OR REPLACE FUNCTION f2(a INT) RETURNS TEXT RETURN '';
 
--connection default
 
--reap
 
 
 
--enable_result_log
 
 
 
 
 
# Cleanup
 
--disconnect con1
 
--connection default
 
 
 
DROP FUNCTION f1;
 
DROP FUNCTION f2;
 
DROP TABLE t1;
 
DROP VIEW v1, v2, v3, v4;

Generated at Thu Feb 08 09:59:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.