[MDEV-32416] Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_strfunc.cc:2432 Created: 2023-10-10  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Ubuntu 20.04


 Description   

Run these queries in debug build:

CREATE TABLE t0 ( c16 TEXT , c42 INT ) ;
INSERT INTO t0 VALUES ( -57 , 60 ) , ( -5 , -28 ) ;
CREATE INDEX i0 ON t0 ( c16 ) ;
INSERT INTO t0 VALUES ( -9174437064508089785 , -87 ) , ( -43 , 41 ) ;
SELECT t0 . c42 AS c42 FROM ( SELECT DISTINCT c16 AS c16 FROM t0 GROUP BY c42 , c16 HAVING RPAD ( c42 , MIN( EXISTS ( SELECT CONCAT ( -2 , 'Z<B > V]1ZJ0g>Mexwz4' ) = ALL ( SELECT c42 AS c42 FROM t0 HAVING TRIM( TRAILING FROM c16 ) ) AS c28 , ROW_NUMBER ( ) OVER ( PARTITION BY 0 , -42 , -79 , 19 , -33 , NOT COUNT( DISTINCT 3 , ~ UNHEX ( -107 ) / REPEAT ( 23 , SIN ( -40 ) IS TRUE ) >> INSTR ( -33 , '!`tH^uPn1i>3%REeyf:' ) % SIN ( -35 ) ) << RAND ( ) & TRIM( TRAILING FROM -32 ) , -863219839305554182 , -5 ) AS c2 FROM ( SELECT NULL AS c45 FROM t0 ) AS t1 ) ) * + EXISTS ( SELECT NOT t0 . c42 = RAND ( ) / TRIM( c42 FROM 'L9OhrY3btSEK,' ) IS NOT FALSE AS c25 ) , 'nHs|4XQyN%VoZ%@O|"k*1T@]96CjJmG.a%8=|8<{L"[' ) ) AS t2 JOIN t0 ON t0 . c42 = t2 . c16 ;

Will trigger heap-use-after-free.
ASAN info:
=================================================================
==90846==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000dc28a at pc 0x000001527cb4 bp 0x7fffd24274f0 sp 0x7fffd24274e8
READ of size 1 at 0x6290000dc28a thread T15
#0 0x1527cb3 in Item_func_rtrim::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27
#1 0x150c0d8 in Item_str_func::val_real() /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:156:16
#2 0x10d6d80 in Type_handler_string_result::Item_val_bool(Item*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:5092:16
#3 0x13dc287 in Item_cond_and::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:5524:16
#4 0xc36c7c in end_send(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:24685:37
#5 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#6 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
#7 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#8 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#9 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#10 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
#11 0x15b4baa in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
#12 0x15b4baa in Item_in_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:994:3
#13 0x15be5df in Item_in_subselect::val_bool() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1991:7
#14 0x13b4fcb in Item_in_optimizer::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1664:17
#15 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19
#16 0x136cb0b in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15
#17 0x136cb0b in Item_cache_wrapper::val_bool() /home/wx/mariadb-11.3.0/sql/item.cc:9101:3
#18 0x13a5d60 in Item_func_not_all::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:222:24
#19 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16
#20 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30
#21 0xc9a3e6 in copy_funcs(Item*, THD const) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11
#22 0xc9a3e6 in end_write_group(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25267:11
#23 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#24 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9
#25 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#26 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#27 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#28 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23
#29 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21
#30 0x15bda3c in Item_exists_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1840:24
#31 0x160307a in Item_sum_min_max::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2796:24
#32 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11
#33 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3
#34 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11
#35 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9
#36 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#37 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#38 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#39 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#40 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#41 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#42 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#43 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#44 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#45 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#46 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#47 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#48 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#49 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#50 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#51 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#52 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#53 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#54 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#55 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#56 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#57 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#58 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6290000dc28a is located 138 bytes inside of 16512-byte region [0x6290000dc200,0x6290000e0280)
freed by thread T15 here:
#0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)
#1 0x1dd1e62 in mem_heap_free(mem_block_info_t*) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:419:3
#2 0x1dd1e62 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0mysql.cc:101:2
#3 0x1e2a5b3 in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3148:3
#4 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
#5 0x1bbb5a1 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9289:24
#6 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
#7 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
#8 0xbe355b in READ_RECORD::read_record() /home/wx/mariadb-11.3.0/sql/records.h:81:30
#9 0xbe355b in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23461:18
#10 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#11 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#12 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#13 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#14 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#15 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#16 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#17 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#18 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#19 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#20 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#21 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#22 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#23 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#24 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#25 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#26 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#27 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#28 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#29 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#30 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#31 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T15 here:
#0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
#1 0x1bfa497 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /home/wx/mariadb-11.3.0/storage/innobase/include/ut0new.h:375:11
#2 0x1cdd194 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/mem/mem0mem.cc:277:37
#3 0x1e38469 in mem_heap_create_func(unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/include/mem0mem.inl:377:10
#4 0x1e38469 in row_sel_store_mysql_field(unsigned char*, row_prebuilt_t*, unsigned char const*, dict_index_t const*, unsigned short const*, unsigned long, mysql_row_templ_t const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3089:27
#5 0x1e2a2ca in row_sel_store_mysql_rec(unsigned char*, row_prebuilt_t*, unsigned char const*, dtuple_t const*, bool, dict_index_t const*, unsigned short const*) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:3235:8
#6 0x1e2513c in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/wx/mariadb-11.3.0/storage/innobase/row/row0sel.cc:5689:9
#7 0x1bbaeb4 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9029:5
#8 0x1bbbdc3 in ha_innobase::index_first(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9385:14
#9 0x1bbbdc3 in ha_innobase::rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/storage/innobase/handler/ha_innodb.cc:9477:11
#10 0x12e9459 in handler::ha_rnd_next(unsigned char*) /home/wx/mariadb-11.3.0/sql/handler.cc:3615:5
#11 0x8b8f83 in rr_sequential(READ_RECORD*) /home/wx/mariadb-11.3.0/sql/records.cc:513:35
#12 0xbe32cb in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441:12
#13 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#14 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#15 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#16 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#17 0xa56eb6 in mysql_derived_fill(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1266:10
#18 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#19 0xc71b7f in st_join_table::preread_init() /home/wx/mariadb-11.3.0/sql/sql_select.cc:16029:7
#20 0xbe2fe9 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23392:49
#21 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14
#22 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50
#23 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8
#24 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21
#25 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#26 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#27 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#28 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#29 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#30 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#31 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#32 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#33 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3

Thread T15 created by T0 here:
#0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
#1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
#2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
#3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
#4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
#5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
#6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
#7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
#8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
#9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2432:27 in Item_func_rtrim::val_str(String*)
Shadow bytes around the buggy address:
0x0c5280013800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280013840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5280013850: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280013890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c52800138a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==90846==ABORTING

 Comments   
Comment by Alice Sherepa [ 2023-10-23 ]

Thank you!
I repeated on 10.4-11.2 with InnoDB, not with myisam.

--source include/have_innodb.inc 
 
 
CREATE TABLE t0 ( i text) engine=innodb ;
 
INSERT INTO t0 VALUES ( -57) , ( -5 ), ( -9) , ( -43 ) ;
 
 
 
SELECT 1 FROM t0 GROUP BY  i 
HAVING  
    MIN( EXISTS ( 
        SELECT exists( SELECT 1 FROM t0 HAVING TRIM( TRAILING FROM i )), sum(1) 
         FROM ( SELECT 0 FROM t0 )dt ) 
    );
 
 
 
drop table t0;


Version: '10.4.32-MariaDB-debug-log'   source revision babd833685e1fd1da4411a0874ba1c98bb0b631d
 
=================================================================
 
==680299==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290002c628a at pc 0x55fbba283b36 bp 0x7f5e7b315710 sp 0x7f5e7b315700
 
READ of size 1 at 0x6290002c628a thread T27
 
    #0 0x55fbba283b35 in Item_func_rtrim::val_str(String*) /10.4/src/sql/item_strfunc.cc:2051
 
    #1 0x55fbba27155b in Item_str_func::val_int() /10.4/src/sql/item_strfunc.cc:159
 
    #2 0x55fbb9a1c3f9 in end_send /10.4/src/sql/sql_select.cc:22086
 
    #3 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #4 0x55fbb9a13389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902
 
    #5 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #6 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #7 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #8 0x55fbba2e1a0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032
 
    #9 0x55fbba2bca77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758
 
    #10 0x55fbba2c73ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735
 
    #11 0x55fbb96080bd in Item::val_int_result() /10.4/src/sql/item.h:1557
 
    #12 0x55fbba12e6dc in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10016
 
    #13 0x55fbba1472a7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8779
 
    #14 0x55fbba124303 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8887
 
    #15 0x55fbba101ed2 in Item_copy_string::copy() /10.4/src/sql/item.cc:4997
 
    #16 0x55fbb9a37a51 in copy_fields(TMP_TABLE_PARAM*) /10.4/src/sql/sql_select.cc:25761
 
    #17 0x55fbb9a1e804 in end_send_group(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:22326
 
    #18 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #19 0x55fbb9a13389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902
 
    #20 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #21 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #22 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #23 0x55fbba2e1a0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032
 
    #24 0x55fbba2bca77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758
 
    #25 0x55fbba2c73ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735
 
    #26 0x55fbba317bfc in Item_sum_min_max::reset_field() /10.4/src/sql/item_sum.cc:2762
 
    #27 0x55fbb9a3a7e4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26090
 
    #28 0x55fbb9a209ec in end_unique_update /10.4/src/sql/sql_select.cc:22510
 
    #29 0x55fbb9a551be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615
 
    #30 0x55fbb9a64c6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)
 
    #31 0x55fbb9a120cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607
 
    #32 0x55fbb9a14a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #33 0x55fbb9a139ef in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20941
 
    #34 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #35 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #36 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #37 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #38 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #39 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #40 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #41 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #42 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #43 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #44 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #45 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #46 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #47 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
    #48 0x7f5e91ab5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6290002c628a is located 138 bytes inside of 16512-byte region [0x6290002c6200,0x6290002ca280)
 
freed by thread T27 here:
 
    #0 0x7f5e924e240f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x55fbbac77634 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /10.4/src/storage/innobase/mem/mem0mem.cc:416
 
    #2 0x55fbbade9159 in mem_heap_free /10.4/src/storage/innobase/include/mem0mem.inl:417
 
    #3 0x55fbbadf0732 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /10.4/src/storage/innobase/row/row0mysql.cc:137
 
    #4 0x55fbbae8087b in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3106
 
    #5 0x55fbbae90c16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589
 
    #6 0x55fbbaa89ad2 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /10.4/src/storage/innobase/handler/ha_innodb.cc:9678
 
    #7 0x55fbbaa8ab01 in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9888
 
    #8 0x55fbba09fd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904
 
    #9 0x55fbba4d8d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485
 
    #10 0x55fbb9711db9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70
 
    #11 0x55fbb9a1360c in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20921
 
    #12 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #13 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #14 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #15 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #16 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #17 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #18 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #19 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #20 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #21 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #22 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #23 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #24 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #25 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7f5e924e2808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55fbbac76a31 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /10.4/src/storage/innobase/mem/mem0mem.cc:277
 
    #2 0x55fbbae68f52 in mem_heap_create_func /10.4/src/storage/innobase/include/mem0mem.inl:375
 
    #3 0x55fbbae8013c in row_sel_store_mysql_field /10.4/src/storage/innobase/row/row0sel.cc:3047
 
    #4 0x55fbbae81261 in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3178
 
    #5 0x55fbbae90c16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589
 
    #6 0x55fbbaa87196 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.4/src/storage/innobase/handler/ha_innodb.cc:9405
 
    #7 0x55fbbaa8a4eb in ha_innobase::index_first(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9787
 
    #8 0x55fbbaa8aa7b in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9880
 
    #9 0x55fbba09fd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904
 
    #10 0x55fbba4d8d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485
 
    #11 0x55fbb9711db9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70
 
    #12 0x55fbb9a19fbc in join_init_read_record(st_join_table*) /10.4/src/sql/sql_select.cc:21851
 
    #13 0x55fbb9a131cd in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20899
 
    #14 0x55fbb9a1112f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #15 0x55fbb999ec77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #16 0x55fbb999c2a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #17 0x55fbb99a0483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #18 0x55fbb9970f7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #19 0x55fbb98dcd7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #20 0x55fbb98ca4f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #21 0x55fbb98e625a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #22 0x55fbb98bc680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #23 0x55fbb98b91ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #24 0x55fbb9cc756c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #25 0x55fbb9cc6e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #26 0x55fbba971d89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #27 0x7f5e91ee4608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f5e9240f815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55fbba97217a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
 
    #2 0x55fbb95b4f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55fbb95cd103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
 
    #4 0x55fbb95cd89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
 
    #5 0x55fbb95cdd84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
 
    #6 0x55fbb95cec40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
 
    #7 0x55fbb95cc808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
 
    #8 0x55fbb95b2f3c in main /10.4/src/sql/main.cc:25
 
    #9 0x7f5e919ba082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/item_strfunc.cc:2051 in Item_func_rtrim::val_str(String*)
 
Shadow bytes around the buggy address:
 
  0x0c5280050c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c5280050c50: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==680299==ABORTING
 
----------SERVER LOG END-------------
 



--source include/have_innodb.inc 
 
 
 
 
CREATE TABLE t0 ( i text) engine=innodb ;
 
INSERT INTO t0 VALUES ( -57) , ( -5 ), ( -9) , ( -43 ) ;
 
 
 
SELECT 1 FROM t0 GROUP BY  i 
HAVING  
    MIN( EXISTS ( 
        SELECT exists( SELECT 1 FROM t0 HAVING i), sum(1) 
         FROM ( SELECT 0 FROM t0 )dt ) 
    );
 
 
 
drop table t0;


Version: '10.4.32-MariaDB-debug-log'  
 
 
=================================================================
 
==679980==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290002c6288 at pc 0x559e81d2dc27 bp 0x7fb259626560 sp 0x7fb259626550
 
READ of size 1 at 0x6290002c6288 thread T27
 
    #0 0x559e81d2dc26 in internal_str2dec /10.4/src/strings/decimal.c:801
 
    #1 0x559e80b81db4 in str2my_decimal(unsigned int, char const*, unsigned long, charset_info_st const*, my_decimal*, char const**) /10.4/src/sql/my_decimal.cc:256
 
    #2 0x559e80791aa3 in Value_source::Converter_str2my_decimal::Converter_str2my_decimal(unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*) /10.4/src/sql/field.h:224
 
    #3 0x559e80791dc5 in Value_source::Converter_str2my_decimal_with_warn::Converter_str2my_decimal_with_warn(THD*, Value_source::Warn_filter, unsigned int, charset_info_st const*, char const*, unsigned long, my_decimal*) /10.4/src/sql/field.h:276
 
    #4 0x559e807738ff in Field_blob::val_decimal(my_decimal*) /10.4/src/sql/field.cc:8619
 
    #5 0x559e808324d7 in Item_field::val_decimal_result(my_decimal*) /10.4/src/sql/item.cc:3364
 
    #6 0x559e8085bf45 in Item_ref::val_decimal(my_decimal*) /10.4/src/sql/item.cc:8448
 
    #7 0x559e8056b50f in VDec::VDec(Item*) /10.4/src/sql/sql_type.cc:195
 
    #8 0x559e80894c0c in Arg_comparator::compare_decimal() /10.4/src/sql/item_cmpfunc.cc:871
 
    #9 0x559e808d836d in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104
 
    #10 0x559e808a0414 in Item_func_ne::val_int() /10.4/src/sql/item_cmpfunc.cc:1813
 
    #11 0x559e801593f9 in end_send /10.4/src/sql/sql_select.cc:22086
 
    #12 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #13 0x559e80150389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902
 
    #14 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #15 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #16 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #17 0x559e80a1ea0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032
 
    #18 0x559e809f9a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758
 
    #19 0x559e80a043ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735
 
    #20 0x559e7fd450bd in Item::val_int_result() /10.4/src/sql/item.h:1557
 
    #21 0x559e8086b6dc in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10016
 
    #22 0x559e808842a7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8779
 
    #23 0x559e80861303 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8887
 
    #24 0x559e8083eed2 in Item_copy_string::copy() /10.4/src/sql/item.cc:4997
 
    #25 0x559e80174a51 in copy_fields(TMP_TABLE_PARAM*) /10.4/src/sql/sql_select.cc:25761
 
    #26 0x559e8015b804 in end_send_group(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:22326
 
    #27 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #28 0x559e80150389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902
 
    #29 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #30 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #31 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #32 0x559e80a1ea0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032
 
    #33 0x559e809f9a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758
 
    #34 0x559e80a043ec in Item_exists_subselect::val_int() /10.4/src/sql/item_subselect.cc:1735
 
    #35 0x559e80a54bfc in Item_sum_min_max::reset_field() /10.4/src/sql/item_sum.cc:2762
 
    #36 0x559e801777e4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26090
 
    #37 0x559e8015d9ec in end_unique_update /10.4/src/sql/sql_select.cc:22510
 
    #38 0x559e801921be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615
 
    #39 0x559e801a1c6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)
 
    #40 0x559e8014f0cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607
 
    #41 0x559e80151a54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129
 
    #42 0x559e801509ef in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20941
 
    #43 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #44 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #45 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #46 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #47 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #48 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #49 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #50 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #51 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #52 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #53 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #54 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #55 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #56 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
    #57 0x7fb26fdc8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6290002c6288 is located 136 bytes inside of 16512-byte region [0x6290002c6200,0x6290002ca280)
 
freed by thread T27 here:
 
    #0 0x7fb2707f540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x559e813b4634 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /10.4/src/storage/innobase/mem/mem0mem.cc:416
 
    #2 0x559e81526159 in mem_heap_free /10.4/src/storage/innobase/include/mem0mem.inl:417
 
    #3 0x559e8152d732 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /10.4/src/storage/innobase/row/row0mysql.cc:137
 
    #4 0x559e815bd87b in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3106
 
    #5 0x559e815cdc16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589
 
    #6 0x559e811c6ad2 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /10.4/src/storage/innobase/handler/ha_innodb.cc:9678
 
    #7 0x559e811c7b01 in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9888
 
    #8 0x559e807dcd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904
 
    #9 0x559e80c15d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485
 
    #10 0x559e7fe4edb9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70
 
    #11 0x559e8015060c in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20921
 
    #12 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #13 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #14 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #15 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #16 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #17 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #18 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #19 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #20 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #21 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #22 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #23 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #24 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #25 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7fb2707f5808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x559e813b3a31 in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /10.4/src/storage/innobase/mem/mem0mem.cc:277
 
    #2 0x559e815a5f52 in mem_heap_create_func /10.4/src/storage/innobase/include/mem0mem.inl:375
 
    #3 0x559e815bd13c in row_sel_store_mysql_field /10.4/src/storage/innobase/row/row0sel.cc:3047
 
    #4 0x559e815be261 in row_sel_store_mysql_rec /10.4/src/storage/innobase/row/row0sel.cc:3178
 
    #5 0x559e815cdc16 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /10.4/src/storage/innobase/row/row0sel.cc:5589
 
    #6 0x559e811c4196 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /10.4/src/storage/innobase/handler/ha_innodb.cc:9405
 
    #7 0x559e811c74eb in ha_innobase::index_first(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9787
 
    #8 0x559e811c7a7b in ha_innobase::rnd_next(unsigned char*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9880
 
    #9 0x559e807dcd5f in handler::ha_rnd_next(unsigned char*) /10.4/src/sql/handler.cc:2904
 
    #10 0x559e80c15d48 in rr_sequential(READ_RECORD*) /10.4/src/sql/records.cc:485
 
    #11 0x559e7fe4edb9 in READ_RECORD::read_record() /10.4/src/sql/records.h:70
 
    #12 0x559e80156fbc in join_init_read_record(st_join_table*) /10.4/src/sql/sql_select.cc:21851
 
    #13 0x559e801501cd in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20899
 
    #14 0x559e8014e12f in do_select /10.4/src/sql/sql_select.cc:20423
 
    #15 0x559e800dbc77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605
 
    #16 0x559e800d92a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387
 
    #17 0x559e800dd483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826
 
    #18 0x559e800adf7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
 
    #19 0x559e80019d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
 
    #20 0x559e800074f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
 
    #21 0x559e8002325a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012
 
    #22 0x559e7fff9680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #23 0x559e7fff61ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #24 0x559e8040456c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #25 0x559e80403e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #26 0x559e810aed89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #27 0x7fb2701f7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fb270722815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x559e810af17a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
 
    #2 0x559e7fcf1f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x559e7fd0a103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
 
    #4 0x559e7fd0a89e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
 
    #5 0x559e7fd0ad84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
 
    #6 0x559e7fd0bc40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
 
    #7 0x559e7fd09808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
 
    #8 0x559e7fceff3c in main /10.4/src/sql/main.cc:25
 
    #9 0x7fb26fccd082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/strings/decimal.c:801 in internal_str2dec
 
Shadow bytes around the buggy address:
 
  0x0c5280050c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280050c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c5280050c50: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5280050ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==679980==ABORTING
 
----------SERVER LOG END-------------

Generated at Thu Feb 08 10:31:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.