[MDEV-31022] SIGSEGV in maria_create from create_internal_tmp_table Created: 2023-04-07  Updated: 2023-08-28  Resolved: 2023-05-09

Status: Closed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 11.0, 11.1
Fix Version/s: 11.1.1, 11.0.2

Type: Bug Priority: Blocker
Reporter: Ramesh Sivaraman Assignee: Sergei Petrunia
Resolution: Fixed Votes: 0
Labels: ASAN, memory_corruption, not-innodb, regression-11.0, stack-smashing

Issue Links:
Problem/Incident
is caused by MDEV-30540 Wrong result with IN list length reac... Closed

 Description    

SET SQL_MODE='';
 
SET SESSION enforce_storage_engine=Aria;
 
CREATE TABLE t (c INT,c2 CHAR(1) NOT NULL);
 
SET @@optimizer_where_cost=1;
 
SET big_tables=1;
 
SET @@in_predicate_conversion_threshold=2;
 
INSERT INTO t (c) VALUES (1);
 
SELECT * FROM t WHERE c2 IN ('','');

Leads to:

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Optimized)

 
Core was generated by `/test/MD070423-mariadb-11.1.0-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  maria_create (
 
    name=0x145bc80529f0 "/test/MD070423-mariadb-11.1.0-linux-x86_64=opt/data/#sql-temptable-56b39-4=1", datafile_type=<optimized out>, keys=2, 
    keydefs=keydefs@entry=0x145c14172310, columns=2, 
    columndef=columndef@entry=0x145bc8052830, uniques=0, 
    uniquedefs=0x145c14172290, ci=0x145c141722b0, flags=260)
 
    at /test/11.1_opt/storage/maria/ma_create.c:574
 
574		switch (keyseg->type) {
 
[Current thread is 1 (Thread 0x145c14174700 (LWP 355154))]
 
(gdb) bt
 
#0  maria_create (name=0x145bc80529f0 "/test/MD070423-mariadb-11.1.0-linux-x86_64=opt/data/#sql-temptable-56b39-4=1", datafile_type=<optimized out>, keys=2, keydefs=keydefs@entry=0x145c14172310, columns=2, columndef=columndef@entry=0x145bc8052830, uniques=0, uniquedefs=0x145c14172290, ci=0x145c141722b0, flags=260) at /test/11.1_opt/storage/maria/ma_create.c:574
 
#1  0x00005586010bcee9 in create_internal_tmp_table (table=0x145bc8051e30, keyinfo=<optimized out>, start_recinfo=0x145bc8052830, recinfo=0x145bc8014688, options=<optimized out>) at /test/11.1_opt/sql/sql_select.cc:21946
 
#2  0x00005586014deeca in ha_partition::pre_direct_update_rows_init (this=0x145bc804cdb8, update_fields=<optimized out>) at /test/11.1_opt/sql/ha_partition.cc:11828
 
#3  0x000055860101fcb8 in mysql_handle_single_derived (lex=0x145bc8051e30, derived=derived@entry=0x145bc804cdb8, phases=3355462664, phases@entry=96) at /test/11.1_opt/sql/sql_derived.cc:200
 
#4  0x00005586010b11f0 in st_join_table::preread_init (this=this@entry=0x145bc80553e0) at /test/11.1_opt/sql/sql_select.cc:15666
 
#5  0x00005586010b13b8 in sub_select (end_of_records=false, join_tab=0x145bc80553e0, join=0x145bc8012288) at /test/11.1_opt/sql/sql_select.cc:23021
 
#6  sub_select (join=0x145bc8012288, join_tab=0x145bc80553e0, end_of_records=false) at /test/11.1_opt/sql/sql_select.cc:22953
 
#7  0x00005586010e2049 in do_select (procedure=<optimized out>, join=0x145bc8012288) at /test/11.1_opt/sql/sql_select.cc:22569
 
#8  JOIN::exec_inner (this=0x145bc8012288) at /test/11.1_opt/sql/sql_select.cc:4897
 
#9  0x00005586010e24ce in JOIN::exec (this=this@entry=0x145bc8012288) at /test/11.1_opt/sql/sql_select.cc:4674
 
#10 0x00005586010e061c in mysql_select (thd=0x145bc8000c58, tables=0x145bc8010e38, fields=<optimized out>, conds=0x145bc80117e0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x145bc8012260, unit=0x145bc8004ce0, select_lex=0x145bc8010818) at /test/11.1_opt/sql/sql_select.cc:5155
 
#11 0x00005586010e0d67 in handle_select (thd=thd@entry=0x145bc8000c58, lex=lex@entry=0x145bc8004c08, result=result@entry=0x145bc8012260, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_opt/sql/sql_select.cc:611
 
#12 0x000055860105fbbe in execute_sqlcom_select (thd=0x145bc8000c58, all_tables=0x145bc8010e38) at /test/11.1_opt/sql/sql_parse.cc:6024
 
#13 0x000055860106d3f2 in mysql_execute_command (thd=0x145bc8000c58, is_called_from_prepared_stmt=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:3944
 
#14 0x000055860105aaa5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x145bc8000c58) at /test/11.1_opt/sql/sql_parse.cc:7760
 
#15 mysql_parse (thd=0x145bc8000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.1_opt/sql/sql_parse.cc:7682
 
#16 0x0000558601066ad2 in dispatch_command (command=COM_QUERY, thd=0x145bc8000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.1_opt/sql/sql_class.h:1370
 
#17 0x00005586010688de in do_command (thd=0x145bc8000c58, blocking=blocking@entry=true) at /test/11.1_opt/sql/sql_parse.cc:1405
 
#18 0x000055860118722f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558603e36fe8, put_in_cache=put_in_cache@entry=true) at /test/11.1_opt/sql/sql_connect.cc:1416
 
#19 0x000055860118751d in handle_one_connection (arg=0x558603e36fe8) at /test/11.1_opt/sql/sql_connect.cc:1318
 
#20 0x0000145c4108e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#21 0x0000145c40c7a133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
Core was generated by `/test/MD040423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055935057dc9f in maria_create (
 
    name=0x14d02c0794e8 "/test/MD040423-mariadb-11.1.0-linux-x86_64-dbg/data/#sql-temptable-11a892-4-1", datafile_type=<optimized out>, keys=2, 
    keydefs=keydefs@entry=0x14d0680a71f0, columns=2, 
    columndef=columndef@entry=0x14d02c079318, uniques=0, 
    uniquedefs=0x14d0680a7170, ci=0x14d0680a7190, flags=260)
 
    at /test/11.1_dbg/storage/maria/ma_create.c:547
 
[Current thread is 1 (Thread 0x14d0680a9700 (LWP 1157977))]
 
(gdb) bt
 
#0  0x000055935057dc9f in maria_create (name=0x14d02c0794e8 "/test/MD040423-mariadb-11.1.0-linux-x86_64-dbg/data/#sql-temptable-11a892-4-1", datafile_type=<optimized out>, keys=2, keydefs=keydefs@entry=0x14d0680a71f0, columns=2, columndef=columndef@entry=0x14d02c079318, uniques=0, uniquedefs=0x14d0680a7170, ci=0x14d0680a7190, flags=260) at /test/11.1_dbg/storage/maria/ma_create.c:547
 
#1  0x00005593500ea806 in create_internal_tmp_table (table=table@entry=0x14d02c0787d0, keyinfo=<optimized out>, start_recinfo=0x14d02c079318, recinfo=0x14d02c017098, options=<optimized out>) at /test/11.1_dbg/sql/sql_select.cc:21946
 
#2  0x00005593500319c4 in mysql_derived_create (thd=0x14d02c000d48, lex=<optimized out>, derived=0x14d02c073a08) at /test/11.1_dbg/sql/sql_lex.h:986
 
#3  0x0000559350032620 in mysql_handle_single_derived (lex=0x14d02c004eb8, derived=derived@entry=0x14d02c073a08, phases=phases@entry=96) at /test/11.1_dbg/sql/sql_derived.cc:200
 
#4  0x00005593500dc1c3 in st_join_table::preread_init (this=this@entry=0x14d02c07bf28) at /test/11.1_dbg/sql/sql_select.cc:15666
 
#5  0x00005593500dc754 in sub_select (join=0x14d02c014c88, join_tab=0x14d02c07bf28, end_of_records=false) at /test/11.1_dbg/sql/sql_select.cc:22972
 
#6  0x0000559350114a88 in do_select (procedure=<optimized out>, join=0x14d02c014c88) at /test/11.1_dbg/sql/sql_select.cc:22569
 
#7  JOIN::exec_inner (this=this@entry=0x14d02c014c88) at /test/11.1_dbg/sql/sql_select.cc:4897
 
#8  0x0000559350114fae in JOIN::exec (this=this@entry=0x14d02c014c88) at /test/11.1_dbg/sql/sql_select.cc:4674
 
#9  0x0000559350112ebb in mysql_select (thd=thd@entry=0x14d02c000d48, tables=<optimized out>, fields=@0x14d02c0134d8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14d02c0137f0, last = 0x14d02c0156d0, elements = 2}, <No data fields>}, conds=0x14d02c0141e0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2164525824, result=0x14d02c014c60, unit=0x14d02c004f90, select_lex=0x14d02c013218) at /test/11.1_dbg/sql/sql_select.cc:5155
 
#10 0x0000559350113641 in handle_select (thd=thd@entry=0x14d02c000d48, lex=lex@entry=0x14d02c004eb8, result=result@entry=0x14d02c014c60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/11.1_dbg/sql/sql_select.cc:611
 
#11 0x000055935007acc5 in execute_sqlcom_select (thd=thd@entry=0x14d02c000d48, all_tables=0x14d02c013838) at /test/11.1_dbg/sql/sql_parse.cc:6024
 
#12 0x0000559350086efe in mysql_execute_command (thd=thd@entry=0x14d02c000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/11.1_dbg/sql/sql_parse.cc:3944
 
#13 0x000055935007517c in mysql_parse (thd=thd@entry=0x14d02c000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14d0680a82f0) at /test/11.1_dbg/sql/sql_parse.cc:7760
 
#14 0x0000559350082718 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14d02c000d48, packet=packet@entry=0x14d02c00ae39 "", packet_length=packet_length@entry=35, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_class.h:1370
 
#15 0x0000559350084b54 in do_command (thd=0x14d02c000d48, blocking=blocking@entry=true) at /test/11.1_dbg/sql/sql_parse.cc:1405
 
#16 0x00005593501e79c1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x559352dbbc58, put_in_cache=put_in_cache@entry=true) at /test/11.1_dbg/sql/sql_connect.cc:1416
 
#17 0x00005593501e7e90 in handle_one_connection (arg=0x559352dbbc58) at /test/11.1_dbg/sql/sql_connect.cc:1318
 
#18 0x000014d080d68609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#19 0x000014d080954133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 11.1.0 (dbg), 11.1.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (opt),10.9.6 (dbg), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (opt), 10.11.3 (dbg)

 Comments   
Comment by Roel Van de Paar [ 2023-04-07 ]

Reduced testcase:

SET sql_mode='',optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2;
 
CREATE TABLE t (c CHAR(1) NULL);
 
INSERT INTO t (c) VALUES (1);
 
SELECT * FROM t WHERE c IN ('','');

Engine for table t can be Aria, MyISAM, Memory. InnoDB is not affected.

Comment by Roel Van de Paar [ 2023-04-07 ]

If we leave off sql_mode='' we see stack smashing:

SET optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2;
 
CREATE TABLE t (c CHAR(1) NULL) ENGINE=MyISAM;
 
INSERT INTO t (c) VALUES (1);
 
SELECT * FROM t WHERE c IN ('','');

Leads to:

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug)

 
Core was generated by `/test/MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  maria_create (
 
    name=0x14564c06dc88 "/test/MD070423-mariadb-11.0.2-linux-x86_64-dbg/data/#sql-temptable-3d003f-4-1", datafile_type=<optimized out>, keys=2, 
    keydefs=0x14569d9c2170, columns=2, columndef=0x14564c06dab8, uniques=0, 
    uniquedefs=0x14569d9c20f0, ci=0x14569d9c2110, flags=260)
 
    at /test/11.0_dbg/storage/maria/ma_create.c:491
 
[Current thread is 1 (Thread 0x14569d9c4640 (LWP 3997790))]
 
(gdb) bt
 
#0  maria_create (name=0x14564c06dc88 "/test/MD070423-mariadb-11.0.2-linux-x86_64-dbg/data/#sql-temptable-3d003f-4-1", datafile_type=<optimized out>, keys=2, keydefs=0x14569d9c2170, columns=2, columndef=0x14564c06dab8, uniques=0, uniquedefs=0x14569d9c20f0, ci=0x14569d9c2110, flags=260) at /test/11.0_dbg/storage/maria/ma_create.c:491
 
#1  0x0000558245f0ecf0 in create_internal_tmp_table (table=0x14564c06cf70, keyinfo=<optimized out>, start_recinfo=0x14564c06dab8, recinfo=0x14564c016ec0, options=<optimized out>) at /test/11.0_dbg/sql/sql_select.cc:21945
 
#2  0x0000558204008ff8 in ?? ()
 
#3  0x0000000000000006 in ?? ()
 
#4  0x0000000000000060 in ?? ()
 
#5  0x000014564c004ec8 in ?? ()
 
#6  0x00000000ffffffe7 in ?? ()
 
#7  0x000014569d9c22e0 in ?? ()
 
#8  0x0000558245e59d39 in mysql_handle_single_derived (lex=0x14564c06cf70, derived=0x14564c067d80, phases=1275071832) at /test/11.0_dbg/sql/sql_derived.cc:200
 
Backtrace stopped: frame did not save the PC

Bug confirmed present in:
MariaDB: 11.0.2 (dbg), 11.0.2 (opt), 11.1.0 (dbg), 11.1.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.29 (dbg), 10.4.29 (opt), 10.5.20 (dbg), 10.5.20 (opt), 10.6.13 (dbg), 10.6.13 (opt), 10.7.8 (dbg), 10.7.8 (opt), 10.8.8 (dbg), 10.8.8 (opt), 10.9.6 (dbg), 10.9.6 (opt), 10.10.4 (dbg), 10.10.4 (opt), 10.11.3 (dbg), 10.11.3 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 5.7.40 (opt), 8.0.31 (dbg), 8.0.31 (opt)

Comment by Roel Van de Paar [ 2023-04-07 ]

This issue seems to have both optimizer as well as storage engine (specifically Aria in debug builds, though Memory and MyISAM are affected as well including in optimized builds) components. There is an ASAN use-after-poison in ha_maria::info on debug builds only (this is using the ENGINE=MyISAM testcase):

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug, UBASAN)

 
=================================================================
 
==197908==ERROR: AddressSanitizer: use-after-poison on address 0x6210000f36c8 at pc 0x55e29d043fdb bp 0x14a3d6548320 sp 0x14a3d6548310
 
READ of size 8 at 0x6210000f36c8 thread T15
 
    #0 0x55e29d043fda in ha_maria::info(unsigned int) /test/11.0_dbg_san/storage/maria/ha_maria.cc:2742
 
    #1 0x55e29d045325 in ha_maria::open(char const*, int, unsigned int) /test/11.0_dbg_san/storage/maria/ha_maria.cc:1218
 
    #2 0x55e29bdea29b in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.0_dbg_san/sql/handler.cc:3472
 
    #3 0x55e29a99f3ca in open_tmp_table(TABLE*) /test/11.0_dbg_san/sql/sql_select.cc:21741
 
    #4 0x55e29a425fbe in mysql_derived_create /test/11.0_dbg_san/sql/sql_derived.cc:1136
 
    #5 0x55e29a42e939 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/11.0_dbg_san/sql/sql_derived.cc:200
 
    #6 0x55e29a946462 in st_join_table::preread_init() /test/11.0_dbg_san/sql/sql_select.cc:15668
 
    #7 0x55e29a948e93 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22984
 
    #8 0x55e29ab0b2a0 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22568
 
    #9 0x55e29ab0b2a0 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
 
    #10 0x55e29ab0ca3c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
 
    #11 0x55e29aafb1fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
 
    #12 0x55e29aaff655 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
 
    #13 0x55e29a67ee35 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
 
    #14 0x55e29a6e0190 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #15 0x55e29a70faa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
 
    #16 0x55e29a71f83c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #17 0x55e29a72d641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #18 0x55e29b0f191b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #19 0x55e29b0f2e36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #20 0x14a3f8f7db42 in start_thread nptl/pthread_create.c:442
 
    #21 0x14a3f900f9ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
0x6210000f36c8 is located 3528 bytes inside of 4736-byte region [0x6210000f2900,0x6210000f3b80)
 
allocated by thread T15 here:
 
    #0 0x55e299d95337 in __interceptor_malloc (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x7936337)
 
    #1 0x55e29e47e598 in my_malloc /test/11.0_dbg_san/mysys/my_malloc.c:91
 
    #2 0x55e29e45bf6d in my_multi_malloc /test/11.0_dbg_san/mysys/mulalloc.c:59
 
    #3 0x55e29d101d94 in maria_open /test/11.0_dbg_san/storage/maria/ma_open.c:653
 
    #4 0x55e29d044f77 in ha_maria::open(char const*, int, unsigned int) /test/11.0_dbg_san/storage/maria/ha_maria.cc:1197
 
    #5 0x55e29bdea29b in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /test/11.0_dbg_san/sql/handler.cc:3472
 
    #6 0x55e29a99f3ca in open_tmp_table(TABLE*) /test/11.0_dbg_san/sql/sql_select.cc:21741
 
    #7 0x55e29a425fbe in mysql_derived_create /test/11.0_dbg_san/sql/sql_derived.cc:1136
 
    #8 0x55e29a42e939 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /test/11.0_dbg_san/sql/sql_derived.cc:200
 
    #9 0x55e29a946462 in st_join_table::preread_init() /test/11.0_dbg_san/sql/sql_select.cc:15668
 
    #10 0x55e29a948e93 in sub_select(JOIN*, st_join_table*, bool) /test/11.0_dbg_san/sql/sql_select.cc:22984
 
    #11 0x55e29ab0b2a0 in do_select /test/11.0_dbg_san/sql/sql_select.cc:22568
 
    #12 0x55e29ab0b2a0 in JOIN::exec_inner() /test/11.0_dbg_san/sql/sql_select.cc:4895
 
    #13 0x55e29ab0ca3c in JOIN::exec() /test/11.0_dbg_san/sql/sql_select.cc:4672
 
    #14 0x55e29aafb1fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.0_dbg_san/sql/sql_select.cc:5153
 
    #15 0x55e29aaff655 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.0_dbg_san/sql/sql_select.cc:611
 
    #16 0x55e29a67ee35 in execute_sqlcom_select /test/11.0_dbg_san/sql/sql_parse.cc:6267
 
    #17 0x55e29a6e0190 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:3949
 
    #18 0x55e29a70faa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
 
    #19 0x55e29a71f83c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #20 0x55e29a72d641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #21 0x55e29b0f191b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #22 0x55e29b0f2e36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #23 0x14a3f8f7db42 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T15 created by T0 here:
 
    #0 0x55e299d39175 in __interceptor_pthread_create (/test/UBASAN_MD070423-mariadb-11.0.2-linux-x86_64-dbg/bin/mariadbd+0x78da175)
 
    #1 0x55e299def723 in create_thread_to_handle_connection(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6126
 
    #2 0x55e299dfcd3c in create_new_thread(CONNECT*) /test/11.0_dbg_san/sql/mysqld.cc:6188
 
    #3 0x55e299dfd5bc in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.0_dbg_san/sql/mysqld.cc:6250
 
    #4 0x55e299dfe60d in handle_connections_sockets() /test/11.0_dbg_san/sql/mysqld.cc:6374
 
    #5 0x55e299e05d91 in mysqld_main(int, char**) /test/11.0_dbg_san/sql/mysqld.cc:6021
 
    #6 0x55e299ddaeca in main /test/11.0_dbg_san/sql/main.cc:34
 
    #7 0x14a3f8f12d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /test/11.0_dbg_san/storage/maria/ha_maria.cc:2742 in ha_maria::info(unsigned int)
 
Shadow bytes around the buggy address:
 
  0x0c4280016680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280016690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800166a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800166b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800166c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c42800166d0: 00 00 00 00 00 00 00 f7 00[f7]00 f7 00 00 00 00
 
  0x0c42800166e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c42800166f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280016700: 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00
 
  0x0c4280016710: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
 
  0x0c4280016720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==197908==ABORTING

However on optimized ASAN builds we get error 140 from Aria (using the ENGINE=MyISAM testcase) which may provide further clues:

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Optimized, UBASAN)

 
11.0.2-opt>SET optimizer_where_cost=1,big_tables=1,in_predicate_conversion_threshold=2;
 
Query OK, 0 rows affected, 1 warning (0.002 sec)
 
 
 
11.0.2-opt>CREATE TABLE t (c CHAR(1) NULL) ENGINE=MyISAM;
 
Query OK, 0 rows affected (0.022 sec)
 
 
 
11.0.2-opt>INSERT INTO t (c) VALUES (1);
 
Query OK, 1 row affected (0.011 sec)
 
 
 
11.0.2-opt>SELECT * FROM t WHERE c IN ('','');
 
ERROR 1030 (HY000): Got error 140 "Wrong create options" from storage engine Aria

Comment by Roel Van de Paar [ 2023-04-07 ]

MTR accepts the last testcase above without changes:

11.1.0 2b61ff8f2221745f0a96855a0feb0825c426f993 (Debug)

 
 - found 'core.371450' (0/5)
 
Core generated by '/test/MD070423-mariadb-11.1.0-linux-x86_64-dbg/bin/mariadbd'

Comment by Roel Van de Paar [ 2023-04-07 ]

Recent regression. Git bisect in progress complete.

bd9ca2a0e3dfb00da226822cea53bb856e8393f0 is the first bad commit

commit bd9ca2a0e3dfb00da226822cea53bb856e8393f0
 
Author: Monty <monty@mariadb.org>
 
Date:   Fri Feb 10 13:18:39 2023 +0200
 
 
 
    MDEV-30540 Wrong result with IN list length reaching IN_PREDICATE_CONVERSION_THRESHOLD
 
 
 
    The problem was the mysql_derived_prepare() did not correctly set
 
    'distinct' when creating a temporary derivated table.
 
 
 
    Fixed by separating checking for distinct for queries with and without
 
    UNION.
 
 
 
    Other things:
 
    - Fixed bug in generate_derived_keys_for_table() where we set the wrong
 
      bit for join_tab->keys
 
    - Cleaned up JOIN::drop_unused_derived_keys()
 
    - Changed TABLE::use_index() to keep unique keys and update
 
      share->key_parts
 
 
 
    Author: Sergei Petrunia <sergey@mariadb.com>, monty@mariadb.org

Comment by Rex Johnston [ 2023-04-13 ]

Hi Sergei,

Simple enough fix in the end.

BR, Rex

Comment by Sergei Petrunia [ 2023-04-16 ]

Johnston, please see the input to the PR.

Comment by Rex Johnston [ 2023-04-17 ]

thanks Sergei

Comment by Sergei Petrunia [ 2023-04-26 ]

In addition to questions on the latest patch, I've tried to adjust it to make create_internal_tmp_table() handle the case with multiple indexes.

The result is here: https://github.com/MariaDB/server/tree/bb-11.0-MDEV-31022-variant2

Comment by Sergei Petrunia [ 2023-04-28 ]

serg, JFYI: Monty has pointed out that there's a case where two indexes are needed:

  • index $IDX1 is a unique constraint (say, the temp. table is using multiple columns and the total length is large, so we have to use a unique constraint)
  • the other index $IDX2 is used by "derived_with_keys" optimization. Note that $IDX1 is not usable for lookups so we can't use it instead of $IDX2.
Comment by Sergei Golubchik [ 2023-04-28 ]

https://github.com/MariaDB/server/commit/cbd36645b7 is ok to push

Comment by Sergei Petrunia [ 2023-05-09 ]

Fix pushed into 11.0 tree.

Generated at Thu Feb 08 10:20:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.