Bug #120188 Executing the EXPLAIN ANALYZE statement in a loop within a stored procedure triggers a error
Submitted: 31 Mar 12:00 Modified: 31 Mar 12:24
Reporter: Alice Alice Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:9.6, 8.0.45 OS:Any
Assigned to: CPU Architecture:Any

[31 Mar 12:00] Alice Alice 
Description:
Executing the EXPLAIN ANALYZE statement in a loop within a stored procedure triggers a error.

The error message is as follows:
/home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_union.cc:1010:50: runtime error: member access within address 0x7f692b787370 which does not point to an object of type 'Query_result'
0x7f692b787370: note: object has a possibly invalid vptr: abs(offset to top) too big
 47 56 00 00  10 70 39 00 70 60 00 00  10 70 39 00 70 60 00 00  40 41 5c 77 47 56 00 00  38 70 39 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              possibly invalid vptr
    #0 0x56474e61ecbf in Query_expression::optimize(THD*, TABLE*, bool, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_union.cc:1010
    #1 0x56474e2f4228 in Sql_cmd_dml::execute_inner(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:999
    #2 0x56474e344102 in Sql_cmd_dml::execute(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:785
    #3 0x56474e08a232 in mysql_execute_command(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:4724
    #4 0x56474db4914d in sp_instr_stmt::exec_core(THD*, unsigned int*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:990
    #5 0x56474db5e7c2 in sp_lex_instr::reset_lex_and_exec_core(THD*, unsigned int*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:462
    #6 0x56474db60818 in sp_lex_instr::validate_lex_and_execute_core(THD*, unsigned int*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:750
    #7 0x56474db657ae in sp_instr_stmt::execute(THD*, unsigned int*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:916
    #8 0x56474db0c876 in sp_head::execute(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_head.cc:2229
    #9 0x56474db16639 in sp_head::execute_procedure(THD*, mem_root_deque<Item*>*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_head.cc:2890
    #10 0x56475028e2a9 in Sql_cmd_call::execute_inner(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_call.cc:234
    #11 0x56474e344102 in Sql_cmd_dml::execute(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:785
    #12 0x56474e08a232 in mysql_execute_command(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:4724
    #13 0x56474e094293 in dispatch_sql_command(THD*, Parser_state*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:5385
    #14 0x56474e09e025 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:2055
    #15 0x56474e0aaf15 in do_command(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:1440
    #16 0x56474e99adec in handle_connection /home/wwb/workspace/dstore/mysql-8.0.45/sql/conn_handler/connection_handler_per_thread.cc:303
    #17 0x56475635647d in pfs_spawn_thread /home/wwb/workspace/dstore/mysql-8.0.45/storage/perfschema/pfs.cc:3050
    #18 0x7f6960d83d10 in __asan::AsanThread::ThreadStart(unsigned long long, __sanitizer::atomic_uintptr_t*) (/opt/hw/gcc-10.3/lib64/libasan.so.6+0x11bd10)
    #19 0x7f6960d6983d in asan_thread_start(void*) (/opt/hw/gcc-10.3/lib64/libasan.so.6+0x10183d)
    #20 0x7f6960c48f3a  (/usr/lib64/libpthread.so.0+0x8f3a)
    #21 0x7f695e7d897f in __clone (/usr/lib64/libc.so.6+0xf897f)

/home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_union.cc:1045:23: runtime error: member access within address 0x7f692b787370 which does not point to an object of type 'Query_result'
0x7f692b787370: note: object has invalid vptr
 47 56 00 00  fa 04 00 00 00 00 00 00  b0 45 08 00 20 63 00 00  b0 73 78 2b 69 7f 00 00  40 74 78 2b
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
    #0 0x56474e61f76a in Query_expression::optimize(THD*, TABLE*, bool, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_union.cc:1045
    #1 0x56474e2f4228 in Sql_cmd_dml::execute_inner(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:999
    #2 0x56474e344102 in Sql_cmd_dml::execute(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:785
    #3 0x56474e08a232 in mysql_execute_command(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:4724
    #4 0x56474db4914d in sp_instr_stmt::exec_core(THD*, unsigned int*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:990
    #5 0x56474db5e7c2 in sp_lex_instr::reset_lex_and_exec_core(THD*, unsigned int*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:462
    #6 0x56474db60818 in sp_lex_instr::validate_lex_and_execute_core(THD*, unsigned int*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:750
    #7 0x56474db657ae in sp_instr_stmt::execute(THD*, unsigned int*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_instr.cc:916
    #8 0x56474db0c876 in sp_head::execute(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_head.cc:2229
    #9 0x56474db16639 in sp_head::execute_procedure(THD*, mem_root_deque<Item*>*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sp_head.cc:2890
    #10 0x56475028e2a9 in Sql_cmd_call::execute_inner(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_call.cc:234
    #11 0x56474e344102 in Sql_cmd_dml::execute(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_select.cc:785
    #12 0x56474e08a232 in mysql_execute_command(THD*, bool) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:4724
    #13 0x56474e094293 in dispatch_sql_command(THD*, Parser_state*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:5385
    #14 0x56474e09e025 in dispatch_command(THD*, COM_DATA const*, enum_server_command) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:2055
    #15 0x56474e0aaf15 in do_command(THD*) /home/wwb/workspace/dstore/mysql-8.0.45/sql/sql_parse.cc:1440
    #16 0x56474e99adec in handle_connection /home/wwb/workspace/dstore/mysql-8.0.45/sql/conn_handler/connection_handler_per_thread.cc:303
    #17 0x56475635647d in pfs_spawn_thread /home/wwb/workspace/dstore/mysql-8.0.45/storage/perfschema/pfs.cc:3050
    #18 0x7f6960d83d10 in __asan::AsanThread::ThreadStart(unsigned long long, __sanitizer::atomic_uintptr_t*) (/opt/hw/gcc-10.3/lib64/libasan.so.6+0x11bd10)
    #19 0x7f6960d6983d in asan_thread_start(void*) (/opt/hw/gcc-10.3/lib64/libasan.so.6+0x10183d)
    #20 0x7f6960c48f3a  (/usr/lib64/libpthread.so.0+0x8f3a)
    #21 0x7f695e7d897f in __clone (/usr/lib64/libc.so.6+0xf897f)

How to repeat:
1.Compile a version of mysqld with ASAN and UBSAN enabled, i.e., add -DWITH_ASAN=1 -DWITH_UBSAN=1 during compilation.

2.Execute the following test case:
create database test;
use test;

CREATE TABLE tbl_range_table (
id_col int  AUTO_INCREMENT PRIMARY KEY
);
INSERT INTO tbl_range_table (id_col) VALUES (DEFAULT), (DEFAULT);

DELIMITER $$
CREATE PROCEDURE t3()
BEGIN
    DECLARE i INT DEFAULT 1;
    WHILE i <= 2 DO
		explain analyze SELECT * FROM `tbl_range_table`co;
        SET i = i + 1;
    END WHILE;
END$$
DELIMITER ;

CALL t3();
[31 Mar 12:24] Alice Alice 
add bug version