[MDEV-31912] ASAN errors in base_list_iterator::next_fast / JOIN::choose_tableless_subquery_plan on 2nd execution of SP Created: 2023-08-13  Updated: 2023-08-13

Status: Open
Project: MariaDB Server
Component/s: Optimizer, Stored routines
Affects Version/s: 10.4, 10.5
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Minor
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: not-10.6+


 Description   

Set to Minor because only 10.4/10.5 are affected.

CREATE TABLE t1 (a INT);
 
 
 
CREATE TABLE t2 (b INT, c VARCHAR(1), KEY(c));
 
INSERT INTO t2 VALUES (1,'n'),(2, 'e');
 
 
 
CREATE TABLE t3 (d INT);
 
INSERT INTO t3 VALUES (1),(2);
 
 
 
CREATE PROCEDURE sp() SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));
 
 
 
CALL sp;
 
CALL sp;
 
 
 
# Cleanup
 
DROP PROCEDURE sp;
 
DROP TABLE t1, t2, t3;

10.4 b2e312b0

 
==3472060==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000120468 at pc 0x55f8d79bbb47 bp 0x7f16af4b6b80 sp 0x7f16af4b6b78
 
READ of size 8 at 0x625000120468 thread T5
 
    #0 0x55f8d79bbb46 in base_list_iterator::next_fast() /data/src/10.4/sql/sql_list.h:443
 
    #1 0x55f8d824efd2 in List_iterator_fast<Item_sum>::operator++(int) /data/src/10.4/sql/sql_list.h:620
 
    #2 0x55f8d867a2fd in Item_in_subselect::inject_in_to_exists_cond(JOIN*) /data/src/10.4/sql/item_subselect.cc:2742
 
    #3 0x55f8d8191d25 in JOIN::choose_tableless_subquery_plan() /data/src/10.4/sql/opt_subselect.cc:6764
 
    #4 0x55f8d7d5e065 in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:3128
 
    #5 0x55f8d7d5660c in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2394
 
    #6 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
 
    #7 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
 
    #8 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
 
    #9 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
 
    #10 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
 
    #11 0x55f8d7d7017e in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4812
 
    #12 0x55f8d7d40fae in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #13 0x55f8d7cb04d6 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
 
    #14 0x55f8d7c9d9eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
 
    #15 0x55f8d7a5e745 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3694
 
    #16 0x55f8d7a5ce66 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3424
 
    #17 0x55f8d7a5dedc in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3600
 
    #18 0x55f8d7a4f502 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
 
    #19 0x55f8d7a555cf in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2371
 
    #20 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
 
    #21 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
 
    #22 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #23 0x55f8d7cb9726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #24 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #25 0x55f8d7c8c560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #26 0x55f8d808babf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #27 0x55f8d808b3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #28 0x55f8d8cfb3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #29 0x7f16b72a7fd3 in start_thread nptl/pthread_create.c:442
 
    #30 0x7f16b73285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x625000120468 is located 2920 bytes inside of 8160-byte region [0x62500011f900,0x6250001218e0)
 
freed by thread T5 here:
 
    #0 0x7f16b78b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
 
    #1 0x55f8d98455fb in my_free /data/src/10.4/mysys/my_malloc.c:222
 
    #2 0x55f8d9822507 in free_root /data/src/10.4/mysys/my_alloc.c:421
 
    #3 0x55f8d7a4fbd1 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1447
 
    #4 0x55f8d7a555cf in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2371
 
    #5 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
 
    #6 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
 
    #7 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #8 0x55f8d7cb9726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #9 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #10 0x55f8d7c8c560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #11 0x55f8d808babf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #12 0x55f8d808b3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #13 0x55f8d8cfb3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #14 0x7f16b72a7fd3 in start_thread nptl/pthread_create.c:442
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7f16b78b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x55f8d9844a5c in my_malloc /data/src/10.4/mysys/my_malloc.c:101
 
    #2 0x55f8d9821482 in alloc_root /data/src/10.4/mysys/my_alloc.c:251
 
    #3 0x55f8d79bb6ae in Sql_alloc::operator new(unsigned long, st_mem_root*) /data/src/10.4/sql/sql_alloc.h:39
 
    #4 0x55f8d87f2be1 in make_select(TABLE*, unsigned long long, unsigned long long, Item*, SORT_INFO*, bool, int*) /data/src/10.4/sql/opt_range.cc:1199
 
    #5 0x55f8d7d579aa in JOIN::optimize_stage2() /data/src/10.4/sql/sql_select.cc:2490
 
    #6 0x55f8d7d5660c in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2394
 
    #7 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
 
    #8 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
 
    #9 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
 
    #10 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
 
    #11 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
 
    #12 0x55f8d7c2cb0d in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.4/sql/sql_lex.cc:4236
 
    #13 0x55f8d818a1bb in JOIN::optimize_constant_subqueries() /data/src/10.4/sql/opt_subselect.cc:5636
 
    #14 0x55f8d7d525f4 in JOIN::optimize_inner() /data/src/10.4/sql/sql_select.cc:2048
 
    #15 0x55f8d7d4f2aa in JOIN::optimize() /data/src/10.4/sql/sql_select.cc:1711
 
    #16 0x55f8d7d7017e in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4812
 
    #17 0x55f8d7d40fae in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #18 0x55f8d7cb04d6 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
 
    #19 0x55f8d7c9d9eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
 
    #20 0x55f8d7a5e745 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3694
 
    #21 0x55f8d7a5ce66 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3424
 
    #22 0x55f8d7a5dedc in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3600
 
    #23 0x55f8d7a4f502 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
 
    #24 0x55f8d7a555cf in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2371
 
    #25 0x55f8d7c96d08 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3062
 
    #26 0x55f8d7c988a9 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3304
 
    #27 0x55f8d7cadeac in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6216
 
    #28 0x55f8d7cb9726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #29 0x55f8d7c8f9f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f16b7849726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55f8d8cfb7ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x55f8d7997f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55f8d79af690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x55f8d79afddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x55f8d79b02a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x55f8d79b1155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x55f8d79aedf3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x55f8d79960b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f16b7246189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/sql_list.h:443 in base_list_iterator::next_fast()
 
Shadow bytes around the buggy address:
 
  0x0c4a8001c030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c4a8001c080: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
 
  0x0c4a8001c090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c0a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a8001c0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3472060==ABORTING

Reproducible on 10.4-10.5 with at least MyISAM and InnoDB.
Not reproducible on 10.6, the plan is different there.

Plans on 10.4

 
CREATE PROCEDURE sp() EXPLAIN EXTENDED SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));
 
CALL sp;
 
id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
 
1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE noticed after reading const tables
 
2	SUBQUERY	t2	index	NULL	c	4	NULL	2	100.00	Using index
 
2	SUBQUERY	t3	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where; Using join buffer (flat, BNL join)
 
3	SUBQUERY	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
 
Warnings:
 
Note	1003	/* select#1 */ select NULL AS `a` from `test`.`t1` where 0
 
CALL sp;
 
id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
 
1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
2	SUBQUERY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
3	SUBQUERY	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
 
Warnings:
 
Note	1003	/* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0

Plans on 10.6

 
CREATE PROCEDURE sp() EXPLAIN EXTENDED SELECT * FROM t1 WHERE ('x', '0') IN (SELECT MIN(c), COUNT(*) FROM t2, t3 WHERE t3.d >= 0 AND 1 NOT IN (SELECT b FROM t2));
 
CALL sp;
 
id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
 
1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
2	SUBQUERY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
3	SUBQUERY	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
 
Warnings:
 
Note	1003	/* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0
 
CALL sp;
 
id	select_type	table	type	possible_keys	key	key_len	ref	rows	filtered	Extra
 
1	PRIMARY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
2	SUBQUERY	NULL	NULL	NULL	NULL	NULL	NULL	NULL	NULL	Impossible WHERE
 
3	SUBQUERY	t2	ALL	NULL	NULL	NULL	NULL	2	100.00	Using where
 
Warnings:
 
Note	1003	/* select#1 */ select `test`.`t1`.`a` AS `a` from `test`.`t1` where 0


Generated at Thu Feb 08 10:27:24 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.