[MDEV-32706] Assertion Failed at /mariadb-11.3.0/sql/handler.cc:3785 Created: 2023-11-07  Updated: 2023-12-04  Resolved: 2023-12-04

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Xin Wen Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Ubuntu 20.04

Issue Links:
Duplicate
duplicates MDEV-32707 Assertion Failed at /mariadb-11.3.0/s... Confirmed

 Description   

Run these queries in debug build:

CREATE TABLE x ( x INT UNIQUE ) ;
INSERT INTO x ( x ) VALUES ( 1 ) ;
UPDATE x SET x = 1 WHERE ( SELECT x AS x FROM x AS x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING x ORDER BY 1 DESC ) AND 1 GROUP BY x HAVING x ) IN ( SELECT DISTINCT x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING ( SELECT 1 FROM ( SELECT x FROM x WHERE x IN ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM x ) SELECT x WHERE x OR x GROUP BY x HAVING ( 1 = 1 AND x = 1 ) ) GROUP BY x , x HAVING ( 1 = 1 AND ( ( SELECT ( NOT ( ( SELECT 1 WHERE x != ( SELECT 1 FROM x WHERE x OR x = ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM ( WITH x AS ( SELECT DISTINCT x FROM x WHERE x BETWEEN ( SELECT 'x' / 1.000000 IS NOT NULL > x AS x ) AND 1 OR x BETWEEN 'x' AND 'x' ) SELECT x FROM x UNION SELECT x FROM x ) AS x ) SELECT x WHERE x > 1 OR x > 1 OR ( x = 1 AND ( x = x OR x = x ) ) OR ( x = 1 AND x = 1 ) ) ) ) ) ) WHERE x = x ) ) = 1 ) WINDOW x AS ( PARTITION BY x ORDER BY ( x , x ) NOT IN ( SELECT 'x' , x FROM x WHERE x > 1 ) DESC ) UNION SELECT x FROM x ) AS x WHERE 'x' = x OR x = x ) ) AND 1 ) ORDER BY x , x DESC ;

Will trigger Assertion Failed.
GDB info:
#0 0x00007ffff6c0c00b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6beb859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6beb729 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6bfcfd6 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000555557b356b9 in handler::ha_index_last (this=0x61d000258b28, buf=0x61a0006d0938 "\377") at /home/wx/mariadb-11.3.0/sql/handler.cc:3785
#5 0x0000555557368a65 in join_read_last (tab=0x62f00000f348) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:24550
#6 0x0000555557360006 in sub_select (join=0x62f000006638, join_tab=0x62f00000f348, end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23441
#7 0x000055555735dadd in do_select (join=0x62f000006638, procedure=0x0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
#8 0x00005555572dbfe9 in JOIN::exec_inner (this=0x62f000006638) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
#9 0x00005555572d93a0 in JOIN::exec (this=0x62f000006638) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
#10 0x0000555557dce72f in subselect_single_select_engine::exec (this=0x6290000f91d8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159
#11 0x0000555557da9c85 in Item_subselect::exec (this=0x62900016d2a8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#12 0x0000555557dafbe9 in Item_singlerow_subselect::val_int (this=0x62900016d2a8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
#13 0x0000555557ba521f in Item::save_int_in_field (this=0x62900016d2a8, field=0x61a0006d0408, no_conversions=true) at /home/wx/mariadb-11.3.0/sql/item.cc:6843
#14 0x00005555578b2242 in Type_handler_int_result::Item_save_in_field (this=0x55555b7b6980 <type_handler_slong>, item=0x62900016d2a8, field=0x61a0006d0408, no_conversions=true) at /home/wx/mariadb-11.3.0/sql/sql_type.cc:4341
#15 0x0000555557ba540b in Item::save_in_field (this=0x62900016d2a8, field=0x61a0006d0408, no_conversions=true) at /home/wx/mariadb-11.3.0/sql/item.cc:6853
#16 0x0000555557b79bc4 in Item::save_in_field_no_warnings (this=0x62900016d2a8, field=0x61a0006d0408, no_conversions=true) at /home/wx/mariadb-11.3.0/sql/item.cc:1512
#17 0x0000555556e6a59e in Field::get_mm_leaf_int (this=0x61a0006d0408, prm=0x7fffd1119a20, key_part=0x62100015a5a8, cond=0x62900016d498, op=SCALAR_CMP_GE, value=0x62900016d2a8, unsigned_field=false) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:9248
#18 0x000055555764db87 in Field_int::get_mm_leaf (this=0x61a0006d0408, param=0x7fffd1119a20, key_part=0x62100015a5a8, cond=0x62900016d498, op=SCALAR_CMP_GE, value=0x62900016d2a8) at /home/wx/mariadb-11.3.0/sql/field.h:2550
#19 0x0000555556e68904 in Item_bool_func::get_mm_leaf (this=0x62900016d498, param=0x7fffd1119a20, field=0x61a0006d0408, key_part=0x62100015a5a8, functype=Item_func::GE_FUNC, value=0x62900016d2a8) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:9091
#20 0x0000555556e66b65 in Item_bool_func::get_mm_parts (this=0x62900016d498, param=0x7fffd1119a20, field=0x61a0006d0408, type=Item_func::GE_FUNC, value=0x62900016d2a8) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:8926
#21 0x0000555556e5fd5b in Item_func_between::get_func_mm_tree (this=0x62900016d498, param=0x7fffd1119a20, field=0x61a0006d0408, value=0x0) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:8070
#22 0x0000555556e6343e in Item_bool_func::get_full_func_mm_tree (this=0x62900016d498, param=0x7fffd1119a20, field_item=0x6290000f7380, value=0x0) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:8585
#23 0x0000555556e65059 in Item_func_between::get_mm_tree (this=0x62900016d498, param=0x7fffd1119a20, cond_ptr=0x62f000011d38) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:8774
#24 0x0000555556e3e8cc in SQL_SELECT::test_quick_select (this=0x62f000011d30, thd=0x62c0001e0288, keys_to_use=..., prev_tables=0, limit=18446744073709551615, force_quick_range=false, ordered_output=false, remove_false_parts_of_where=true, only_single_index_range_scan=false) at /home/wx/mariadb-11.3.0/sql/opt_range.cc:2923
#25 0x00005555572de278 in get_quick_record_count (thd=0x62c0001e0288, select=0x62f000011d30, table=0x619000095708, keys=0x62f000010828, limit=18446744073709551615) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5293
#26 0x00005555572e578d in make_join_statistics (join=0x62f000005d50, tables_list=..., keyuse_array=0x62f0000060b8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:6060
#27 0x00005555572c2c36 in JOIN::optimize_inner (this=0x62f000005d50) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2624
#28 0x00005555572bbba6 in JOIN::optimize (this=0x62f000005d50) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#29 0x0000555557dcd491 in subselect_single_select_engine::exec (this=0x62900016e520) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4075
#30 0x0000555557da9c85 in Item_subselect::exec (this=0x62900016e380) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812
#31 0x0000555557dafbe9 in Item_singlerow_subselect::val_int (this=0x62900016e380) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462
#32 0x0000555556e14b78 in Item::val_int_result (this=0x62900016e380) at /home/wx/mariadb-11.3.0/sql/item.h:1793
#33 0x0000555557bc30d8 in Item_cache_int::cache_value (this=0x62f00000b8b0) at /home/wx/mariadb-11.3.0/sql/item.cc:10161
#34 0x0000555557bf1836 in Item_in_optimizer::fix_left (this=0x62f00000b7d8, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1362
#35 0x0000555557dc7a5f in Item_in_subselect::select_in_like_transformer (this=0x62d00007fa78, join=0x62f000006ff8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3476
#36 0x0000555557dc031f in Item_in_subselect::select_transformer (this=0x62d00007fa78, join=0x62f000006ff8) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:2774
#37 0x0000555557791050 in check_and_do_in_subquery_rewrites (join=0x62f000006ff8) at /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:794
#38 0x00005555572b7f1c in JOIN::prepare (this=0x62f000006ff8, tables_init=0x0, conds_init=0x62d00007f0c0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x62900016e568, unit_arg=0x62d00007f238) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1631
#39 0x0000555557dcc18e in subselect_single_select_engine::prepare (this=0x62d00007fcb8, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3943
#40 0x0000555557da5ca5 in Item_subselect::fix_fields (this=0x62d00007fa78, thd_param=0x62c0001e0288, ref=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:296
#41 0x0000555557dc8ea7 in Item_in_subselect::fix_fields (this=0x62d00007fa78, thd_arg=0x62c0001e0288, ref=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:3602
#42 0x0000555556f0404f in Item::fix_fields_if_needed (this=0x62d00007fa78, thd=0x62c0001e0288, ref=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/item.h:1147
#43 0x0000555556f04089 in Item::fix_fields_if_needed_for_scalar (this=0x62d00007fa78, thd=0x62c0001e0288, ref=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/item.h:1156
#44 0x000055555703235b in Item::fix_fields_if_needed_for_bool (this=0x62d00007fa78, thd=0x62c0001e0288, ref=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/item.h:1160
#45 0x0000555557029190 in setup_conds (thd=0x62c0001e0288, tables=0x6290000f5bf8, leaves=..., conds=0x62f000004568) at /home/wx/mariadb-11.3.0/sql/sql_base.cc:8888
#46 0x00005555572af1c9 in setup_without_group (thd=0x62c0001e0288, ref_pointer_array=..., tables=0x6290000f5bf8, leaves=..., fields=..., all_fields=..., conds=0x62f000004568, order=0x62d00007fe58, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x62f00000442f, reserved=0x62c0001e52fc) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:931
#47 0x00005555572b6b86 in JOIN::prepare (this=0x62f0000040d0, tables_init=0x6290000f5bf8, conds_init=0x62d00007fa78, og_num=2, order_init=0x62d00007fe58, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x62c0001e4f10, unit_arg=0x62c0001e46d8) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1531
#48 0x0000555557569318 in Sql_cmd_update::prepare_inner (this=0x6290000f6538, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:2999
#49 0x00005555573a79a7 in Sql_cmd_dml::prepare (this=0x6290000f6538, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33265
#50 0x00005555573a7c66 in Sql_cmd_dml::execute (this=0x6290000f6538, thd=0x62c0001e0288) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33318
#51 0x00005555571c1637 in mysql_execute_command (thd=0x62c0001e0288, is_called_from_prepared_stmt=false) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4361
#52 0x00005555571d95e2 in mysql_parse (thd=0x62c0001e0288, rawbuf=0x6290000f52a8 "UPDATE x SET x = 1 WHERE ( SELECT x AS x FROM x AS x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING x ORDER BY 1 DESC ) AND 1 GROUP BY x HAVING x ) IN ( SELECT DISTINCT x WHERE x BETWEE"..., length=1087, parser_state=0x7fffd111d870) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#53 0x00005555571b1237 in dispatch_command (command=COM_QUERY, thd=0x62c0001e0288, packet=0x6290000fa289 " UPDATE x SET x = 1 WHERE ( SELECT x AS x FROM x AS x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING x ORDER BY 1 DESC ) AND 1 GROUP BY x HAVING x ) IN ( SELECT DISTINCT x WHERE x BETWE"..., packet_length=1091, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#54 0x00005555571adf7c in do_command (thd=0x62c0001e0288, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#55 0x000055555768e557 in do_handle_one_connection (connect=0x6110000410c8, put_in_cache=true) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#56 0x000055555768deb4 in handle_one_connection (arg=0x611000040f88) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#57 0x00005555582fa350 in pfs_spawn_thread (arg=0x618000005508) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#58 0x00007ffff7115609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#59 0x00007ffff6ce8133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

 Comments   
Comment by Alice Sherepa [ 2023-11-08 ]

Thanks!
Repeatable on 10.4-11.3 This is the same problem as MDEV-32707, I will add the test there

Version: '10.4.32-MariaDB-debug-log'  
=================================================================
 
==557466==ERROR: AddressSanitizer: heap-use-after-free on address 0x6220000319a0 at pc 0x55cd561fdc7a bp 0x7fdb7118aac0 sp 0x7fdb7118aab0
 
READ of size 8 at 0x6220000319a0 thread T27
 
    #0 0x55cd561fdc79 in close_thread_tables(THD*) /10.4/src/sql/sql_base.cc:953
 
    #1 0x55cd563afa68 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6283
 
    #2 0x55cd563badc4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013
 
    #3 0x55cd56391186 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #4 0x55cd5638dcb1 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #5 0x55cd5679d5b4 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #6 0x55cd5679ce58 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #7 0x55cd5743947d in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #8 0x7fdb87d57608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
    #9 0x7fdb87928132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6220000319a0 is located 160 bytes inside of 5844-byte region [0x622000031900,0x622000032fd4)
 
freed by thread T27 here:
 
    #0 0x7fdb8835540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
 
    #1 0x55cd57fc0a5a in free_memory /10.4/src/mysys/safemalloc.c:279
 
    #2 0x55cd57fc0016 in sf_free /10.4/src/mysys/safemalloc.c:197
 
    #3 0x55cd57f8ec0e in my_free /10.4/src/mysys/my_malloc.c:222
 
    #4 0x55cd57f6b849 in free_root /10.4/src/mysys/my_alloc.c:428
 
    #5 0x55cd564e469d in free_tmp_table(THD*, TABLE*) /10.4/src/sql/sql_select.cc:20209
 
    #6 0x55cd561fdca4 in close_thread_tables(THD*) /10.4/src/sql/sql_base.cc:954
 
    #7 0x55cd563afa68 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:6283
 
    #8 0x55cd563badc4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013
 
    #9 0x55cd56391186 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
    #10 0x55cd5638dcb1 in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
 
    #11 0x55cd5679d5b4 in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
 
    #12 0x55cd5679ce58 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
 
    #13 0x55cd5743947d in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
 
    #14 0x7fdb87d57608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7fdb88355808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
 
    #1 0x55cd57fbf9ca in sf_malloc /10.4/src/mysys/safemalloc.c:118
 
    #2 0x55cd57f8e117 in my_malloc /10.4/src/mysys/my_malloc.c:101
 
    #3 0x55cd57f6a75a in alloc_root /10.4/src/mysys/my_alloc.c:258
 
    #4 0x55cd57f6af3b in multi_alloc_root /10.4/src/mysys/my_alloc.c:332
 
    #5 0x55cd564d4ce5 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18709
 
    #6 0x55cd5665dff3 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /10.4/src/sql/sql_union.cc:393
 
    #7 0x55cd562c5a35 in mysql_derived_prepare /10.4/src/sql/sql_derived.cc:853
 
    #8 0x55cd562c1b19 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
 
    #9 0x55cd566f08fc in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.4/src/sql/table.cc:9090
 
    #10 0x55cd5630a05f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.4/src/sql/sql_lex.h:4403
 
    #11 0x55cd5632c1c2 in st_select_lex::handle_derived(LEX*, unsigned int) /10.4/src/sql/sql_lex.cc:4306
 
    #12 0x55cd566f086e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.4/src/sql/table.cc:9087
 
    #13 0x55cd5630a05f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.4/src/sql/sql_lex.h:4403
 
    #14 0x55cd5632c1c2 in st_select_lex::handle_derived(LEX*, unsigned int) /10.4/src/sql/sql_lex.cc:4306
 
    #15 0x55cd5644dd09 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.4/src/sql/sql_select.cc:1243
 
    #16 0x55cd56660883 in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long, bool) /10.4/src/sql/sql_union.cc:662
 
    #17 0x55cd56664c0a in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long) /10.4/src/sql/sql_union.cc:1089
 
    #18 0x55cd562c5748 in mysql_derived_prepare /10.4/src/sql/sql_derived.cc:824
 
    #19 0x55cd562c1b19 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.4/src/sql/sql_derived.cc:200
 
    #20 0x55cd566f08fc in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.4/src/sql/table.cc:9090
 
    #21 0x55cd5630a05f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.4/src/sql/sql_lex.h:4403
 
    #22 0x55cd5632c1c2 in st_select_lex::handle_derived(LEX*, unsigned int) /10.4/src/sql/sql_lex.cc:4306
 
    #23 0x55cd562c5091 in mysql_derived_prepare /10.4/src/sql/sql_derived.cc:778
 
    #24 0x55cd562c12ea in mysql_handle_derived(LEX*, unsigned int) /10.4/src/sql/sql_derived.cc:123
 
    #25 0x55cd56681aaa in Multiupdate_prelocking_strategy::handle_end(THD*) /10.4/src/sql/sql_update.cc:1720
 
    #26 0x55cd56682ee1 in mysql_multi_update_prepare(THD*) /10.4/src/sql/sql_update.cc:1886
 
    #27 0x55cd563a2140 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4494
 
    #28 0x55cd563badc4 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013
 
    #29 0x55cd56391186 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7fdb88282815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55cd5743986e in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
 
    #2 0x55cd56088f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55cd560a1103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
 
    #4 0x55cd560a189e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
 
    #5 0x55cd560a1d84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
 
    #6 0x55cd560a2c40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
 
    #7 0x55cd560a0808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
 
    #8 0x55cd56086f3c in main /10.4/src/sql/main.cc:25
 
    #9 0x7fdb8782d082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/sql_base.cc:953 in close_thread_tables(THD*)
 
Shadow bytes around the buggy address:
 
  0x0c447fffe2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c447fffe2f0: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
 
  0x0c447fffe300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c447fffe310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c447fffe320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c447fffe330: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffe340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffe350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffe360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffe370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c447fffe380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==557466==ABORTING
 
----------SERVER LOG END-------------

11.1-11.2:

Version: '11.1.3-MariaDB-debug-log'  
mariadbd: /11.1/sql/handler.cc:3602: int handler::ha_rnd_next(uchar*): Assertion `table_share->tmp_table != NO_TMP_TABLE || m_lock_type != 2' failed.
 
231108 11:34:37 [ERROR] mysqld got signal 6 ;
 
 
 
 
 
Server version: 11.1.3-MariaDB-debug-log source revision: 5d3e14d780a227d87ea2831481958ac4d5bbd905
 
 
 
/lib/x86_64-linux-gnu/libc.so.6(+0x33fd6)[0x7f6d06abbfd6]
 
sql/handler.cc:3604(handler::ha_rnd_next(unsigned char*))[0x56501d2acc92]
 
sql/handler.cc:3867(handler::read_first_row(unsigned char*, unsigned int))[0x56501d2afec9]
 
sql/sql_class.h:7589(handler::ha_read_first_row(unsigned char*, unsigned int))[0x56501cf7dd6b]
 
sql/sql_select.cc:24052(join_read_system(st_join_table*))[0x56501cf5f67d]
 
sql/sql_select.cc:23956(join_read_const_table(THD*, st_join_table*, POSITION*))[0x56501cf5f20e]
 
sql/sql_select.cc:5723(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x56501cf2c506]
 
sql/sql_select.cc:2620(JOIN::optimize_inner())[0x56501cf214ec]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x56501cf1ecd6]
 
sql/sql_lex.cc:4847(st_select_lex::optimize_unflattened_subqueries(bool))[0x56501ce80e95]
 
sql/opt_subselect.cc:5899(JOIN::optimize_constant_subqueries())[0x56501d11cf55]
 
sql/sql_select.cc:2274(JOIN::optimize_inner())[0x56501cf1fd02]
 
sql/sql_select.cc:1944(JOIN::optimize())[0x56501cf1ecd6]
 
sql/item_subselect.cc:4075(subselect_single_select_engine::exec())[0x56501d3c060d]
 
sql/item_subselect.cc:812(Item_subselect::exec())[0x56501d3b30e9]
 
sql/item_subselect.cc:1462(Item_singlerow_subselect::val_int())[0x56501d3b5292]
 
sql/item.h:1796(Item::val_int_result())[0x56501cd266c3]
 
sql/item.cc:10173(Item_cache_int::cache_value())[0x56501d2e5003]
 
sql/item_cmpfunc.cc:1413(Item_in_optimizer::fix_left(THD*))[0x56501d2f7603]
 
sql/item_subselect.cc:3476(Item_in_subselect::select_in_like_transformer(JOIN*))[0x56501d3be5f0]
 
sql/item_subselect.cc:2775(Item_in_subselect::select_transformer(JOIN*))[0x56501d3bb751]
 
sql/opt_subselect.cc:794(check_and_do_in_subquery_rewrites(JOIN*))[0x56501d10ef29]
 
sql/sql_select.cc:1631(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x56501cf1d904]
 
sql/item_subselect.cc:3943(subselect_single_select_engine::prepare(THD*))[0x56501d3bff25]
 
sql/item_subselect.cc:296(Item_subselect::fix_fields(THD*, Item**))[0x56501d3b19b2]
 
sql/item_subselect.cc:3602(Item_in_subselect::fix_fields(THD*, Item**))[0x56501d3bed62]
 
sql/item.h:1150(Item::fix_fields_if_needed(THD*, Item**))[0x56501cd853ea]
 
sql/item.h:1159(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x56501cd85423]
 
sql/item.h:1164(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x56501ce11ed5]
 
sql/sql_base.cc:8903(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x56501ce0e247]
 
sql/sql_select.cc:930(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*))[0x56501cf1a1a6]
 
sql/sql_select.cc:1532(JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x56501cf1d295]
 
sql/sql_update.cc:3006(Sql_cmd_update::prepare_inner(THD*))[0x56501d022440]
 
sql/sql_select.cc:33354(Sql_cmd_dml::prepare(THD*))[0x56501cf78c94]
 
sql/sql_select.cc:33407(Sql_cmd_dml::execute(THD*))[0x56501cf78e25]
 
sql/sql_parse.cc:4405(mysql_execute_command(THD*, bool))[0x56501ceb8f16]
 
sql/sql_parse.cc:7782(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x56501cec43a8]
 
sql/sql_parse.cc:1894(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x56501ceb1747]
 
sql/sql_parse.cc:1405(do_command(THD*, bool))[0x56501ceb00fb]
 
sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x56501d09c31d]
 
sql/sql_connect.cc:1320(handle_one_connection)[0x56501d09c079]
 
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x56501d5bbd51]
 
nptl/pthread_create.c:478(start_thread)[0x7f6d06fd6609]
 
 
 
Query (0x7f6cd4015600): UPDATE x SET x = 1 WHERE ( SELECT x AS x FROM x AS x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING x ORDER BY 1 DESC ) AND 1 GROUP BY x HAVING x ) IN ( SELECT DISTINCT x WHERE x BETWEEN ( SELECT x AS x FROM x AS x GROUP BY x HAVING ( SELECT 1 FROM ( SELECT x FROM x WHERE x IN ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM x ) SELECT x WHERE x OR x GROUP BY x HAVING ( 1 = 1 AND x = 1 ) ) GROUP BY x , x HAVING ( 1 = 1 AND ( ( SELECT ( NOT ( ( SELECT 1 WHERE x != ( SELECT 1 FROM x WHERE x OR x = ( WITH RECURSIVE x ( x ) AS ( SELECT 1 INTERSECT SELECT x + 1 FROM ( WITH x AS ( SELECT DISTINCT x FROM x WHERE x BETWEEN ( SELECT 'x' / 1.000000 IS NOT NULL > x AS x ) AND 1 OR x BETWEEN 'x' AND 'x' ) SELECT x FROM x UNION SELECT x FROM x ) AS x ) SELECT x WHERE x > 1 OR x > 1 OR ( x = 1 AND ( x = x OR x = x ) ) OR ( x = 1 AND x = 1 ) ) ) ) ) ) WHERE x = x ) ) = 1 ) WINDOW x AS ( PARTITION BY x ORDER BY ( x , x ) NOT IN ( SELECT 'x' , x FROM x WHERE x > 1 ) DESC ) UNION SELECT x FROM x ) AS x WHERE 'x' = x OR x = x ) ) AND 1 ) ORDER BY x , x DESC

Generated at Thu Feb 08 10:33:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.