Valgrind Invalid read, ASAN heap-use-after-free in Item_ident::print upon SHOW CREATE on partitioned table

--source include/have_partition.inc

CREATE TABLE t_partition (f1 INT) PARTITION BY HASH(f1) PARTITIONS 2;

SELECT * FROM t_partition AS tbl;

SHOW CREATE TABLE t_partition;

# Cleanup

DROP TABLE t_partition;

==22663==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000028670 at pc 0x5564419ffd6c bp 0x7ff5cb3ff6d0 sp 0x7ff5cb3ff6c8

READ of size 1 at 0x60c000028670 thread T5

    #0 0x5564419ffd6b in Item_ident::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:2671

    #1 0x556441a226d5 in Item_field::print(String*, enum_query_type) /data/src/10.2/sql/item.cc:7341

    #2 0x5564419f02ec in Item::print_parenthesised(String*, enum_query_type, precedence) /data/src/10.2/sql/item.cc:584

    #3 0x556441598207 in Item::print_for_table_def(String*) /data/src/10.2/sql/item.h:1307

    #4 0x556441dd433a in generate_partition_syntax(THD*, partition_info*, unsigned int*, bool, HA_CREATE_INFO*, Alter_info*) /data/src/10.2/sql/sql_partition.cc:2287

    #5 0x55644154ff58 in show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) /data/src/10.2/sql/sql_show.cc:2297

    #6 0x55644154845f in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1251

    #7 0x556441548bff in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324

    #8 0x5564413e4728 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4222

    #9 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900

    #10 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805

    #11 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360

    #12 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335

    #13 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #14 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863

    #15 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

    #16 0x7ff5d5c6c93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x60c000028670 is located 112 bytes inside of 124-byte region [0x60c000028600,0x60c00002867c)

freed by thread T5 here:

    #0 0x7ff5d7af0527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)

    #1 0x556442a4abf1 in free_memory /data/src/10.2/mysys/safemalloc.c:279

    #2 0x556442a4a252 in sf_free /data/src/10.2/mysys/safemalloc.c:197

    #3 0x556442a194de in my_free /data/src/10.2/mysys/my_malloc.c:217

    #4 0x5564411f9347 in String::free() /data/src/10.2/sql/sql_string.h:351

    #5 0x5564415b26b3 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:44

    #6 0x556441217f69 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361

    #7 0x5564415b3684 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187

    #8 0x55644166f1f5 in TABLE::init(THD*, TABLE_LIST*) /data/src/10.2/sql/table.cc:4464

    #9 0x5564412ce7bb in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1938

    #10 0x5564412d48a8 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409

    #11 0x5564412d6fd0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928

    #12 0x55644137dc93 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /data/src/10.2/sql/sql_base.h:463

    #13 0x556441548101 in mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) /data/src/10.2/sql/sql_show.cc:1229

    #14 0x556441548bff in mysqld_show_create(THD*, TABLE_LIST*) /data/src/10.2/sql/sql_show.cc:1324

    #15 0x5564413e4728 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4222

    #16 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900

    #17 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805

    #18 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360

    #19 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335

    #20 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #21 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863

    #22 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:

    #0 0x7ff5d7af073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)

    #1 0x556442a499f4 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118

    #2 0x556442a18c16 in my_malloc /data/src/10.2/mysys/my_malloc.c:101

    #3 0x5564415b2712 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:47

    #4 0x556441217f69 in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361

    #5 0x5564415b3684 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:187

    #6 0x556441664553 in open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) /data/src/10.2/sql/table.cc:3025

    #7 0x5564412ce316 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1877

    #8 0x5564412d48a8 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3409

    #9 0x5564412d6fd0 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:3928

    #10 0x5564412dacd6 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4682

    #11 0x5564412bca56 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /data/src/10.2/sql/sql_base.h:494

    #12 0x5564413f3762 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6380

    #13 0x5564413e0db9 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3463

    #14 0x5564413fc5cf in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7900

    #15 0x5564413d7940 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1805

    #16 0x5564413d49df in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1360

    #17 0x55644170e892 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335

    #18 0x55644170e2a7 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #19 0x556442116f2b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1863

    #20 0x7ff5d7886493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T5 created by T0 here:

    #0 0x7ff5d7abfbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)

    #1 0x5564421174f3 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1913

    #2 0x5564411d718f in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239

    #3 0x5564411ebed8 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6423

    #4 0x5564411ec5dd in create_new_thread /data/src/10.2/sql/mysqld.cc:6493

    #5 0x5564411ed5ee in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6768

    #6 0x5564411eb425 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6042

    #7 0x5564411d56bf in main /data/src/10.2/sql/main.cc:25

    #8 0x7ff5d5ba42b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/item.cc:2671 Item_ident::print(String*, enum_query_type)

Shadow bytes around the buggy address:

  0x0c187fffd070: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c187fffd080: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

  0x0c187fffd090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c187fffd0a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c187fffd0b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

=>0x0c187fffd0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd

  0x0c187fffd0d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c187fffd0e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

  0x0c187fffd0f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c187fffd100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c187fffd110: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Contiguous container OOB:fc

  ASan internal:           fe

==22663==ABORTING

==30373== Thread 6:

==30373== Invalid read of size 1

==30373==    at 0x951081: Item_ident::print(String*, enum_query_type) (item.cc:2671)

==30373==    by 0x95E727: Item_field::print(String*, enum_query_type) (item.cc:7341)

==30373==    by 0x94B536: Item::print_parenthesised(String*, enum_query_type, precedence) (item.cc:584)

==30373==    by 0x766AA1: Item::print_for_table_def(String*) (item.h:1307)

==30373==    by 0xAEB721: generate_partition_syntax(THD*, partition_info*, unsigned int*, bool, HA_CREATE_INFO*, Alter_info*) (sql_partition.cc:2287)

==30373==    by 0x74CB57: show_create_table(THD*, TABLE_LIST*, String*, Table_specification_st*, enum_with_db_name) (sql_show.cc:2297)

==30373==    by 0x749006: mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) (sql_show.cc:1251)

==30373==    by 0x749526: mysqld_show_create(THD*, TABLE_LIST*) (sql_show.cc:1324)

==30373==    by 0x6BA3F3: mysql_execute_command(THD*) (sql_parse.cc:4222)

==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)

==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)

==30373==    by 0x6B259D: do_command(THD*) (sql_parse.cc:1360)

==30373==    by 0x8058EA: do_handle_one_connection(CONNECT*) (sql_connect.cc:1335)

==30373==    by 0x805677: handle_one_connection (sql_connect.cc:1241)

==30373==    by 0xC456B1: pfs_spawn_thread (pfs.cc:1863)

==30373==    by 0x4E3F493: start_thread (pthread_create.c:333)

==30373==  Address 0xd84bf38 is 8 bytes inside a block of size 16 free'd

==30373==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)

==30373==    by 0x10EE624: my_free (my_malloc.c:217)

==30373==    by 0x5E2666: String::free() (sql_string.h:351)

==30373==    by 0x7722B2: String::real_alloc(unsigned long) (sql_string.cc:44)

==30373==    by 0x5EF6DC: String::alloc(unsigned long) (sql_string.h:361)

==30373==    by 0x7727FE: String::copy(char const*, unsigned long, charset_info_st const*) (sql_string.cc:187)

==30373==    by 0x7C06F6: TABLE::init(THD*, TABLE_LIST*) (table.cc:4464)

==30373==    by 0x644A91: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:1938)

==30373==    by 0x6472C8: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:3409)

==30373==    by 0x648403: open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:3928)

==30373==    by 0x69026C: open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) (sql_base.h:463)

==30373==    by 0x748E4A: mysqld_show_create_get_fields(THD*, TABLE_LIST*, List<Item>*, String*) (sql_show.cc:1229)

==30373==    by 0x749526: mysqld_show_create(THD*, TABLE_LIST*) (sql_show.cc:1324)

==30373==    by 0x6BA3F3: mysql_execute_command(THD*) (sql_parse.cc:4222)

==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)

==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)

==30373==  Block was alloc'd at

==30373==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)

==30373==    by 0x10EE12D: my_malloc (my_malloc.c:101)

==30373==    by 0x7722D9: String::real_alloc(unsigned long) (sql_string.cc:47)

==30373==    by 0x5EF6DC: String::alloc(unsigned long) (sql_string.h:361)

==30373==    by 0x7727FE: String::copy(char const*, unsigned long, charset_info_st const*) (sql_string.cc:187)

==30373==    by 0x7BC591: open_table_from_share(THD*, TABLE_SHARE*, char const*, unsigned int, unsigned int, unsigned int, TABLE*, bool) (table.cc:3025)

==30373==    by 0x64483B: open_table(THD*, TABLE_LIST*, Open_table_context*) (sql_base.cc:1877)

==30373==    by 0x6472C8: open_and_process_table(THD*, LEX*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) (sql_base.cc:3409)

==30373==    by 0x648403: open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) (sql_base.cc:3928)

==30373==    by 0x649BF7: open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) (sql_base.cc:4682)

==30373==    by 0x63CD94: open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) (sql_base.h:494)

==30373==    by 0x6C1ECE: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6380)

==30373==    by 0x6B834E: mysql_execute_command(THD*) (sql_parse.cc:3463)

==30373==    by 0x6C5D33: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7900)

==30373==    by 0x6B3C3F: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1805)

==30373==    by 0x6B259D: do_command(THD*) (sql_parse.cc:1360)