Description:
One of the test cases for the patch for
Bug #20315088 LCASE/LTRIM, SOURCE AND DESTINATION OVERLAP IN MEMCPY
Has uncovered yet another String copy/append bug.
How to repeat:
do concat('111','11111111111111111111111111',
substring_index(uuid(),0,1.111111e+308));
run with ASAN or valgrind to see illegal copying:
==22565==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x6060000c106d,0x6060000c1077) and [0x6060000c106a, 0x6060000c1074) overlap
#0 0x7f92f40e5f24 (/lib64/libasan.so.1+0x2ff24)
#1 0x13e0847 in String::append(String const&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:449
#2 0xe855d7 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1460
#3 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
#4 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
#5 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
#6 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
#7 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
#8 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
#9 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
#10 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
#11 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)
#12 0x7f92f2b6b79c in __clone (/lib64/libc.so.6+0x10079c)
0x6060000c106d is located 45 bytes inside of 56-byte region [0x6060000c1040,0x6060000c1078)
allocated by thread T39 here:
#0 0x7f92f410d7b7 in malloc (/lib64/libasan.so.1+0x577b7)
#1 0x18602ab in my_raw_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:173
#2 0x18602ab in my_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:53
#3 0x13deba5 in String::mem_realloc(unsigned long, bool) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:119
#4 0xe82757 in Item_func_uuid::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:5764
#5 0xe8dc76 in Item_func_substr_index::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:2445
#6 0xe85319 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1436
#7 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
#8 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
#9 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
#10 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
#11 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
#12 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
#13 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
#14 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
#15 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)
Thread T39 created by T0 here:
#0 0x7f92f40d9daa in pthread_create (/lib64/libasan.so.1+0x23daa)
#1 0x188103b in my_thread_create /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_thread.c:92
#2 0x19a2ae5 in pfs_spawn_thread_v1 /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2198
#3 0x13e63ee in inline_mysql_thread_create /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/include/mysql/psi/mysql_thread.h:1296
#4 0x13e63ee in Per_thread_connection_handler::add_connection(Channel_info*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:405
#5 0x7b80a9 in Connection_handler_manager::process_new_connection(Channel_info*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_manager.cc:247
#6 0x759e97 in Connection_acceptor<Mysqld_socket_listener>::connection_event_loop() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_acceptor.h:69
#7 0x759e97 in mysqld_main(int, char**) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/mysqld.cc:5018
#8 0x74113e in main /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/main.cc:25
#9 0x7f92f2a8afdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
0x6060000c106a is located 42 bytes inside of 56-byte region [0x6060000c1040,0x6060000c1078)
allocated by thread T39 here:
#0 0x7f92f410d7b7 in malloc (/lib64/libasan.so.1+0x577b7)
#1 0x18602ab in my_raw_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:173
#2 0x18602ab in my_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:53
#3 0x13deba5 in String::mem_realloc(unsigned long, bool) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:119
#4 0xe82757 in Item_func_uuid::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:5764
#5 0xe8dc76 in Item_func_substr_index::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:2445
#6 0xe85319 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1436
#7 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
#8 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
#9 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
#10 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
#11 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
#12 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
#13 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
#14 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
#15 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)
Suggested fix:
Don't use memcpy() on overlapping strings.