[MDEV-28346] UBSAN: runtime error: downcast of address X which does not point to an object of type 'Item_row' in Item_func_in::get_func_row_mm_tree and load of value X, which is not a valid value for type 'geometry_type' on SELECT Created: 2022-04-19  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: range-optimizer, regression

Issue Links:
Relates
relates to MDEV-24066 ASAN unknown-crash in hp_rec_hashnr a... Closed
relates to MDEV-27259 Query with self join and sets of fore... Confirmed

 Description    

SET sql_select_limit=1;
 
CREATE TABLE t (c1 INT,c2 INT,KEY(c2)) ENGINE=InnoDB;
 
INSERT INTO t VALUES (0,0),(0,1);
 
SELECT c2 FROM t WHERE (0,c2) in ((0,1),(0,1),(0,2));

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized)

 
/test/10.9_opt_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000096d00 which does not point to an object of type 'Item_row'

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt)

 Comments   
Comment by Roel Van de Paar [ 2022-04-19 ]

Full stack from error log

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN)

 
/test/10.9_opt_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000096d00 which does not point to an object of type 'Item_row'
 
0x629000096d00: note: object is of type 'Item_cache_row'
 
 be be be be  f8 2c 10 5b 5e 55 00 00  00 00 00 00 00 00 00 be  20 ec e1 62 5e 55 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x555e554e615b in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8144
 
    #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
 
    #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
 
    #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
 
    #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
 
    #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
 
    #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993
 
    #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_opt_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row'
 
0x629000096d00: note: object is of type 'Item_cache_row'
 
 be be be be  f8 2c 10 5b 5e 55 00 00  00 00 00 00 00 00 00 be  20 ec e1 62 5e 55 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x555e554e4e3d in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8154
 
    #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
 
    #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
 
    #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
 
    #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
 
    #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
 
    #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993
 
    #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_opt_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000096d00 which does not point to an object of type 'Item_row'
 
0x629000096d00: note: object is of type 'Item_cache_row'
 
 be be be be  f8 2c 10 5b 5e 55 00 00  00 00 00 00 00 00 00 be  20 ec e1 62 5e 55 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x555e554e5b58 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_opt_san/sql/opt_range.cc:8171
 
    #1 0x555e554bd851 in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_opt_san/sql/opt_range.cc:2886
 
    #2 0x555e55f111b1 in make_join_select /test/10.9_opt_san/sql/sql_select.cc:12093
 
    #3 0x555e55f6d71a in JOIN::optimize_stage2() /test/10.9_opt_san/sql/sql_select.cc:2755
 
    #4 0x555e55f87b6f in JOIN::optimize_inner() /test/10.9_opt_san/sql/sql_select.cc:2492
 
    #5 0x555e55fa0bbf in JOIN::optimize() /test/10.9_opt_san/sql/sql_select.cc:1808
 
    #6 0x555e55fb188a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:4993
 
    #7 0x555e55fb5a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #8 0x555e55bcccdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #9 0x555e55c0c88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #10 0x555e55b9c0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #11 0x555e55bf2439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #12 0x555e55bfdc92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #13 0x555e564e8d3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #14 0x555e564eb834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #15 0x555e585e91f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #16 0x153cd1e35608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #17 0x153cd10aa162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown
 
2022-04-19 17:00:01 0 [Note] InnoDB: FTS optimize thread exiting.
 
2022-04-19 17:00:01 0 [Note] InnoDB: Starting shutdown...
 
2022-04-19 17:00:01 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/data/ib_buffer_pool
 
2022-04-19 17:00:01 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:00:01
 
2022-04-19 17:00:01 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
 
2022-04-19 17:00:01 0 [Note] InnoDB: Shutdown completed; log sequence number 51522; transaction id 24
 
2022-04-19 17:00:01 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld: Shutdown complete
 
 
 
 
 
=================================================================
 
==2004915==ERROR: LeakSanitizer: detected memory leaks
 
 
 
Direct leak of 96 byte(s) in 6 object(s) allocated from:
 
    #0 0x555e5535f95e in realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-opt/bin/mariadbd+0x806295e)
 
    #1 0x153cd1cf19b2  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2)
 
 
 
SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s).
 
220419 17:00:01 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.9.0-MariaDB
 
read_buffer_size=131072
 
max_used_connections=1
 
thread_count=0
 
Thread pointer: 0x0
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x0 thread_stack 0x5fc00
 
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x555e552bea90]
 
mysys/stacktrace.c:213(my_print_stacktrace)[0x555e59d9da99]
 
sql/signal_handler.cc:226(handle_fatal_signal)[0x555e57092a82]
 
sigaction.c:0(__restore_rt)[0x153cd1e413c0]

Comment by Roel Van de Paar [ 2022-04-19 ]

Two issues are observed with this testcase run across opt/dbg builds. UniqueID's(/stacks):

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2
 
UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select

The first one (optimized builds) has it's full stack listed in the comment above. The second one (debug builds) in the comment below this one.

Comment by Roel Van de Paar [ 2022-04-19 ]

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)

 
/test/10.9_dbg_san/sql/opt_range.cc:8144:44: runtime error: downcast of address 0x629000122e70 which does not point to an object of type 'Item_row'
 
0x629000122e70: note: object is of type 'Item_cache_row'
 
 be be be be  98 b5 d4 ca 2a 56 00 00  00 00 00 00 00 00 00 be  e0 61 37 d3 2a 56 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x562ac4697329 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8144
 
    #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533
 
    #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
 
    #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
 
    #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
 
    #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
 
    #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
 
    #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993
 
    #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_dbg_san/sql/opt_range.cc:8154:50: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row'
 
0x629000122e70: note: object is of type 'Item_cache_row'
 
 be be be be  98 b5 d4 ca 2a 56 00 00  00 00 00 00 00 00 00 be  e0 61 37 d3 2a 56 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x562ac46974dc in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8154
 
    #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533
 
    #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
 
    #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
 
    #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
 
    #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
 
    #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
 
    #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993
 
    #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
/test/10.9_dbg_san/sql/opt_range.cc:8171:40: runtime error: member call on address 0x629000122e70 which does not point to an object of type 'Item_row'
 
0x629000122e70: note: object is of type 'Item_cache_row'
 
 be be be be  98 b5 d4 ca 2a 56 00 00  00 00 00 00 00 00 00 be  e0 61 37 d3 2a 56 00 00  04 00 00 00
 
              ^~~~~~~~~~~~~~~~~~~~~~~
 
              vptr for 'Item_cache_row'
 
    #0 0x562ac4697bf1 in Item_func_in::get_func_row_mm_tree(RANGE_OPT_PARAM*, Item_row*) /test/10.9_dbg_san/sql/opt_range.cc:8171
 
    #1 0x562ac469a679 in Item_func_in::get_mm_tree(RANGE_OPT_PARAM*, Item**) /test/10.9_dbg_san/sql/opt_range.cc:8533
 
    #2 0x562ac46c20bd in SQL_SELECT::test_quick_select(THD*, Bitmap<64u>, unsigned long long, unsigned long long, bool, bool, bool, bool) /test/10.9_dbg_san/sql/opt_range.cc:2886
 
    #3 0x562ac52785f8 in make_join_select /test/10.9_dbg_san/sql/sql_select.cc:12093
 
    #4 0x562ac5382026 in JOIN::optimize_stage2() /test/10.9_dbg_san/sql/sql_select.cc:2755
 
    #5 0x562ac539e083 in JOIN::optimize_inner() /test/10.9_dbg_san/sql/sql_select.cc:2492
 
    #6 0x562ac539fa30 in JOIN::optimize() /test/10.9_dbg_san/sql/sql_select.cc:1808
 
    #7 0x562ac53a3260 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:4993
 
    #8 0x562ac53a4ef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #9 0x562ac4f11fc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #10 0x562ac4f77216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #11 0x562ac4ed9728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #12 0x562ac4f4f44e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #13 0x562ac4f65fa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #14 0x562ac5a32c4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #15 0x562ac5a35ae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #16 0x562ac7f8ec62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #17 0x14a3ab3f7608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #18 0x14a3aa66c162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)
 
 
 
2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld (initiated by: root[root] @ localhost []): Normal shutdown
 
2022-04-19 17:31:07 0 [Note] InnoDB: FTS optimize thread exiting.
 
2022-04-19 17:31:07 0 [Note] InnoDB: Starting shutdown...
 
2022-04-19 17:31:07 0 [Note] InnoDB: Dumping buffer pool(s) to /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/data/ib_buffer_pool
 
2022-04-19 17:31:07 0 [Note] InnoDB: Buffer pool(s) dump completed at 220419 17:31:07
 
2022-04-19 17:31:07 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
 
2022-04-19 17:31:07 0 [Note] InnoDB: Shutdown completed; log sequence number 51948; transaction id 24
 
2022-04-19 17:31:07 0 [Note] /test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld: Shutdown complete
 
 
 
 
 
=================================================================
 
==1961114==ERROR: LeakSanitizer: detected memory leaks
 
 
 
Direct leak of 96 byte(s) in 6 object(s) allocated from:
 
    #0 0x562ac44eb67e in __interceptor_realloc (/test/UBASAN_MD090422-mariadb-10.9.0-linux-x86_64-dbg/bin/mariadbd+0x849e67e)
 
    #1 0x14a3ab2b39b2  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xac9b2)
 
 
 
SUMMARY: AddressSanitizer: 96 byte(s) leaked in 6 allocation(s).
 
220419 17:31:09 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.9.0-MariaDB-debug
 
read_buffer_size=131072
 
max_used_connections=1
 
thread_count=0
 
Thread pointer: 0x0
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x0 thread_stack 0x100000

Comment by Roel Van de Paar [ 2022-09-14 ]

This testcase:

CREATE TABLE t (a INT PRIMARY KEY, b INT) ENGINE=InnoDB;
 
INSERT INTO t VALUES (0,0),(1,1),(2,2);
 
SET SESSION sql_select_limit=2;
 
ALTER TABLE t CHANGE COLUMN a a BINARY (216);
 
SELECT * FROM t x WHERE (a, b) IN ((0, 0),(1,0));

Will show the following issues accross versions:

UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|Item_func_in::get_mm_tree|SQL_SELECT::test_quick_select|make_join_select
 
UBSAN|downcast of address X which does not point to an object of type 'Item_row'|sql/opt_range.cc|Item_func_in::get_func_row_mm_tree|SQL_SELECT::test_quick_select|make_join_select|JOIN::optimize_stage2
 
UBSAN|load of value X, which is not a valid value for type 'geometry_type'|sql/unireg.cc|make_empty_rec|build_frm_image|mysql_create_frm_image|create_table_impl

10.3.37 57739ae94a4af580c62bbc87d364fa002c5dbe04 (Optimized, UBASAN)

 
2022-09-14 15:31:17 0 [Note] /test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/bin/mysqld: ready for connections.
 
Version: '10.3.37-MariaDB'  socket: '/test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/socket.sock'  port: 10355  MariaDB Server
 
/test/10.3_opt_san/sql/unireg.cc:1067:32: runtime error: load of value 25264, which is not a valid value for type 'geometry_type'
 
    #0 0x558923e57d43 in make_empty_rec /test/10.3_opt_san/sql/unireg.cc:1067
 
    #1 0x558923e57d43 in build_frm_image(THD*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, List<Create_field>&, unsigned int, st_key*, handler*) /test/10.3_opt_san/sql/unireg.cc:394
 
    #2 0x558924944ec5 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/10.3_opt_san/sql/sql_table.cc:4868
 
    #3 0x55892496d185 in create_table_impl /test/10.3_opt_san/sql/sql_table.cc:5110
 
    #4 0x558924981fc7 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /test/10.3_opt_san/sql/sql_table.cc:9982
 
    #5 0x558924b74d77 in Sql_cmd_alter_table::execute(THD*) /test/10.3_opt_san/sql/sql_alter.cc:512
 
    #6 0x5589245cd9b1 in mysql_execute_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:6076
 
    #7 0x5589245e7984 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:7871
 
    #8 0x5589245ee119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:1852
 
    #9 0x5589245f65e3 in do_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:1398
 
    #10 0x558924b638d6 in do_handle_one_connection(CONNECT*) /test/10.3_opt_san/sql/sql_connect.cc:1403
 
    #11 0x558924b6421c in handle_one_connection /test/10.3_opt_san/sql/sql_connect.cc:1308
 
    #12 0x15511bfdb608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #13 0x15511b593132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Generated at Thu Feb 08 10:00:00 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.