[MDEV-32677] mariadb crash when i enter a sql query Created: 2023-11-04  Updated: 2023-11-06  Resolved: 2023-11-06

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: li Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None

Issue Links:
Duplicate
duplicates MDEV-32458 ASAN unknown-crash in Inet6::ascii_to... Confirmed

 Description    

CREATE TABLE v1 (c CHAR(3));
 
INSERT INTO v1 VALUES ('1:0'),('00:');
 
SELECT * FROM v1 WHERE c>CAST('::1' AS INET6);



 Comments   
Comment by Sergei Golubchik [ 2023-11-04 ]

in what MariaDB version does it it crash for you?

Comment by Alice Sherepa [ 2023-11-06 ]

Thank you! I repeated as described on 10.5-11.2

Version: '10.5.23-MariaDB-debug-log'  b06ac9a8cd2146e89270cc2150d306d8ed1b33fb
 
=================================================================
 
==335947==ERROR: AddressSanitizer: unknown-crash on address 0x6190000e023c at pc 0x562e363099e1 bp 0x7fb03f1b6550 sp 0x7fb03f1b6540
 
READ of size 1 at 0x6190000e023c thread T27
 
    #0 0x562e363099e0 in Inet6::ascii_to_ipv6(char const*, unsigned long) /10.5/src/plugin/type_inet/sql_type_inet.cc:232
 
    #1 0x562e363079d2 in Inet6::character_string_to_ipv6(char const*, unsigned long, charset_info_st const*) /10.5/src/plugin/type_inet/sql_type_inet.h:153
 
    #2 0x562e36307e04 in Inet6_null::Inet6_null(char const*, unsigned long, charset_info_st const*) /10.5/src/plugin/type_inet/sql_type_inet.h:260
 
    #3 0x562e36307e77 in Inet6_null::Inet6_null(String const&) /10.5/src/plugin/type_inet/sql_type_inet.h:263
 
    #4 0x562e3630c157 in Type_handler_inet6::character_or_binary_string_to_native(THD*, String const*, Native*) const /10.5/src/plugin/type_inet/sql_type_inet.cc:1406
 
    #5 0x562e36311cf8 in Type_handler_inet6::Item_val_native_with_conversion(THD*, Item*, Native*) const /10.5/src/plugin/type_inet/sql_type_inet.h:781
 
    #6 0x562e34b13c72 in Item::val_native_with_conversion(THD*, Native*, Type_handler const*) /10.5/src/sql/item.h:1338
 
    #7 0x562e34d1ade2 in Arg_comparator::compare_native() /10.5/src/sql/item_cmpfunc.cc:815
 
    #8 0x562e34d61b13 in Arg_comparator::compare() /10.5/src/sql/item_cmpfunc.h:102
 
    #9 0x562e34d279be in Item_func_gt::val_int() /10.5/src/sql/item_cmpfunc.cc:1834
 
    #10 0x562e34568327 in evaluate_join_record /10.5/src/sql/sql_select.cc:21275
 
    #11 0x562e34567c63 in sub_select(JOIN*, st_join_table*, bool) /10.5/src/sql/sql_select.cc:21216
 
    #12 0x562e34565365 in do_select /10.5/src/sql/sql_select.cc:20696
 
    #13 0x562e344ef9b9 in JOIN::exec_inner() /10.5/src/sql/sql_select.cc:4602
 
    #14 0x562e344ecfc3 in JOIN::exec() /10.5/src/sql/sql_select.cc:4382
 
    #15 0x562e344f1408 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.5/src/sql/sql_select.cc:4859
 
    #16 0x562e344c20ba in handle_select(THD*, LEX*, select_result*, unsigned long) /10.5/src/sql/sql_select.cc:450
 
    #17 0x562e3442764c in execute_sqlcom_select /10.5/src/sql/sql_parse.cc:6343
 
    #18 0x562e344163b1 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4020
 
    #19 0x562e344329be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8120
 
    #20 0x562e344083ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891
 
    #21 0x562e34404d54 in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375
 
    #22 0x562e348639a2 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1416
 
    #23 0x562e34863306 in handle_one_connection /10.5/src/sql/sql_connect.cc:1318
 
    #24 0x562e354efb01 in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201
 
    #25 0x7fb0559bb608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
    #26 0x7fb05558c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6190000e023c is located 188 bytes inside of 1124-byte region [0x6190000e0180,0x6190000e05e4)
 
allocated by thread T27 here:
 
    #0 0x7fb055fd7808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x562e361a95ec in sf_malloc /10.5/src/mysys/safemalloc.c:121
 
    #2 0x562e36176df1 in my_malloc /10.5/src/mysys/my_malloc.c:91
 
    #3 0x562e36152b6d in alloc_root /10.5/src/mysys/my_alloc.c:256
 
    #4 0x562e361541f6 in strmake_root /10.5/src/mysys/my_alloc.c:485
 
    #5 0x562e3477bb5e in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /10.5/src/sql/table.cc:4020
 
    #6 0x562e3426c8f3 in open_table(THD*, TABLE_LIST*, Open_table_context*) /10.5/src/sql/sql_base.cc:2020
 
    #7 0x562e34276471 in open_and_process_table /10.5/src/sql/sql_base.cc:3812
 
    #8 0x562e342790c0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.5/src/sql/sql_base.cc:4296
 
    #9 0x562e3427e28b in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /10.5/src/sql/sql_base.cc:5243
 
    #10 0x562e341d1f64 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /10.5/src/sql/sql_base.h:507
 
    #11 0x562e3434d6ad in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /10.5/src/sql/sql_insert.cc:758
 
    #12 0x562e3441a274 in mysql_execute_command(THD*) /10.5/src/sql/sql_parse.cc:4641
 
    #13 0x562e344329be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/src/sql/sql_parse.cc:8120
 
    #14 0x562e344083ec in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/src/sql/sql_parse.cc:1891
 
    #15 0x562e34404d54 in do_command(THD*) /10.5/src/sql/sql_parse.cc:1375
 
    #16 0x562e348639a2 in do_handle_one_connection(CONNECT*, bool) /10.5/src/sql/sql_connect.cc:1416
 
    #17 0x562e34863306 in handle_one_connection /10.5/src/sql/sql_connect.cc:1318
 
    #18 0x562e354efb01 in pfs_spawn_thread /10.5/src/storage/perfschema/pfs.cc:2201
 
    #19 0x7fb0559bb608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fb055f04815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x562e354eb6d6 in my_thread_create /10.5/src/storage/perfschema/my_thread.h:52
 
    #2 0x562e354efef4 in pfs_spawn_thread_v1 /10.5/src/storage/perfschema/pfs.cc:2252
 
    #3 0x562e340e9974 in inline_mysql_thread_create /10.5/src/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x562e34100083 in create_thread_to_handle_connection(CONNECT*) /10.5/src/sql/mysqld.cc:6062
 
    #5 0x562e34100702 in create_new_thread(CONNECT*) /10.5/src/sql/mysqld.cc:6121
 
    #6 0x562e34100a5f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/src/sql/mysqld.cc:6186
 
    #7 0x562e341016c1 in handle_connections_sockets() /10.5/src/sql/mysqld.cc:6313
 
    #8 0x562e340ff890 in mysqld_main(int, char**) /10.5/src/sql/mysqld.cc:5708
 
    #9 0x562e340e81bc in main /10.5/src/sql/main.cc:25
 
    #10 0x7fb055491082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: unknown-crash /10.5/src/plugin/type_inet/sql_type_inet.cc:232 in Inet6::ascii_to_ipv6(char const*, unsigned long)
 
Shadow bytes around the buggy address:
 
  0x0c3280013ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280014000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280014010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
 
  0x0c3280014020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280014030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c3280014040: 00 00 00 00 f7 03 f7[04]04 f7 00 00 f7 f7 f7 f7
 
  0x0c3280014050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c3280014060: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
 
  0x0c3280014070: 00 04 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280014080: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c3280014090: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==335947==ABORTING

Generated at Thu Feb 08 10:33:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.