Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18485

Server crash or AddressSanitizer: heap-buffer-overflow or heap-use-after-free in create_tmp_table or in Field::is_null upon select from a view with virtual columns in underlying table

    Details

      Description

      --source include/have_partition.inc
       
      CREATE TABLE t1 (a INT, b INT, v INT AS (a) PERSISTENT, KEY(v)) ENGINE=MyISAM;
      CREATE VIEW v1 AS SELECT * FROM t1;
      INSERT INTO t1 (a,b) SELECT 1, 2;
       
      SELECT * FROM v1;
       
      # Cleanup
      DROP VIEW v1;
      DROP TABLE t1;
      

      10.2 22737998 ASAN

      ==23090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000711b9 at pc 0x563356beb252 bp 0x7f017734e770 sp 0x7f017734e768
      READ of size 4 at 0x60e0000711b9 thread T5
          #0 0x563356beb251 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17115
          #1 0x563356d275c5 in select_union::create_result_table(THD*, List<Item>*, bool, unsigned long long, char const*, bool, bool, bool) /data/src/10.2/sql/sql_union.cc:183
          #2 0x563356a6ee63 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.2/sql/sql_derived.cc:804
          #3 0x563356a6bdeb in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_derived.cc:197
          #4 0x563356d957f4 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/table.cc:7986
          #5 0x563356ac3110 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/sql_lex.cc:3921
          #6 0x563356b785bf in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:716
          #7 0x563356b968fd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3796
          #8 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #9 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #10 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #11 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #12 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #13 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #14 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #15 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
          #16 0x56335783d4ed in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #17 0x7f01837c4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #18 0x7f0181baa93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e0000711b9 is located 7 bytes to the left of 148-byte region [0x60e0000711c0,0x60e000071254)
      freed by thread T5 here:
          #0 0x7f0183a2e527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x56335815f5bb in free_memory /data/src/10.2/mysys/safemalloc.c:279
          #2 0x56335815ebc1 in sf_free /data/src/10.2/mysys/safemalloc.c:197
          #3 0x56335812de50 in my_free /data/src/10.2/mysys/my_malloc.c:218
          #4 0x563357630f5a in info_remove_lock /data/src/10.2/storage/maria/ma_pagecache.c:2316
          #5 0x563357635395 in make_lock_and_pin /data/src/10.2/storage/maria/ma_pagecache.c:2631
          #6 0x5633576386df in pagecache_unlock_by_link /data/src/10.2/storage/maria/ma_pagecache.c:3091
          #7 0x5633576a9460 in _ma_unpin_all_pages /data/src/10.2/storage/maria/ma_key_recover.c:71
          #8 0x5633576df025 in write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3431
          #9 0x5633576dfdd7 in allocate_and_write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3565
          #10 0x5633576e00aa in _ma_write_init_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3605
          #11 0x56335770f694 in maria_write /data/src/10.2/storage/maria/ma_write.c:157
          #12 0x5633575d3d6f in ha_maria::write_row(unsigned char*) /data/src/10.2/storage/maria/ha_maria.cc:1290
          #13 0x563356c3b329 in handler::ha_write_tmp_row(unsigned char*) /data/src/10.2/sql/sql_class.h:5844
          #14 0x563356c6400f in schema_table_store_record(THD*, TABLE*) /data/src/10.2/sql/sql_show.cc:3616
          #15 0x563356c4ba48 in show_plugins /data/src/10.2/sql/sql_show.cc:277
          #16 0x563356b23c7e in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.2/sql/sql_plugin.cc:2396
          #17 0x563356c4bbc8 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.2/sql/sql_show.cc:286
          #18 0x563356c9d33a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.2/sql/sql_show.cc:8382
          #19 0x563356b9545d in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3587
          #20 0x563356b9372f in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
          #21 0x563356b96b17 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3818
          #22 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #23 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #24 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #25 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #26 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #27 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #28 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #29 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
       
      previously allocated by thread T5 here:
          #0 0x7f0183a2e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x56335815e331 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x56335812d4b7 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x563357630e2d in info_add_lock /data/src/10.2/storage/maria/ma_pagecache.c:2302
          #4 0x5633576352fd in make_lock_and_pin /data/src/10.2/storage/maria/ma_pagecache.c:2608
          #5 0x5633576397bf in pagecache_read /data/src/10.2/storage/maria/ma_pagecache.c:3425
          #6 0x5633576d3ce6 in get_head_or_tail_page /data/src/10.2/storage/maria/ma_blockrec.c:1782
          #7 0x5633576df9af in allocate_and_write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3544
          #8 0x5633576e00aa in _ma_write_init_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3605
          #9 0x56335770f694 in maria_write /data/src/10.2/storage/maria/ma_write.c:157
          #10 0x5633575d3d6f in ha_maria::write_row(unsigned char*) /data/src/10.2/storage/maria/ha_maria.cc:1290
          #11 0x563356c3b329 in handler::ha_write_tmp_row(unsigned char*) /data/src/10.2/sql/sql_class.h:5844
          #12 0x563356c6400f in schema_table_store_record(THD*, TABLE*) /data/src/10.2/sql/sql_show.cc:3616
          #13 0x563356c4ba48 in show_plugins /data/src/10.2/sql/sql_show.cc:277
          #14 0x563356b23c7e in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.2/sql/sql_plugin.cc:2396
          #15 0x563356c4bbc8 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.2/sql/sql_show.cc:286
          #16 0x563356c9d33a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.2/sql/sql_show.cc:8382
          #17 0x563356b9545d in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3587
          #18 0x563356b9372f in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
          #19 0x563356b96b17 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3818
          #20 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #21 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #22 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #23 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #24 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #25 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #26 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #27 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
          #28 0x56335783d4ed in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #29 0x7f01837c4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f01839fdbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56335783dab5 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
          #2 0x5633568d567e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x5633568ea61b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
          #4 0x5633568ead20 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
          #5 0x5633568ebd37 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
          #6 0x5633568e9b70 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
          #7 0x5633568d3a1f in main /data/src/10.2/sql/main.cc:25
          #8 0x7f0181ae22b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/sql_select.cc:17115 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool)
      Shadow bytes around the buggy address:
        0x0c1c800061e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c800061f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80006200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006210: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
        0x0c1c80006220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      =>0x0c1c80006230: fa fa fa fa fa fa fa[fa]fd fd fd fd fd fd fd fd
        0x0c1c80006240: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80006250: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006260: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80006270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006280: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23090==ABORTING
      

      10.3 7293ce0e

      ==23240==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00006fe81 at pc 0x564b45431046 bp 0x7efd6a11fd10 sp 0x7efd6a11fd08
      READ of size 4 at 0x60e00006fe81 thread T5
          #0 0x564b45431045 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17669
          #1 0x564b45577ebb in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:375
          #2 0x564b452753c8 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:801
          #3 0x564b45272444 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:197
          #4 0x564b455f2e7a in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8180
          #5 0x564b452cfbf2 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/sql_lex.cc:4103
          #6 0x564b453ba6c5 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1000
          #7 0x564b453da007 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4217
          #8 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #9 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #10 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #11 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
          #12 0x564b4531a582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1854
          #13 0x564b45317594 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1396
          #14 0x564b45689e97 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #15 0x564b456898a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1309
          #16 0x564b461be11f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #17 0x7efd766f7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #18 0x7efd74add93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e00006fe81 is located 1 bytes inside of 148-byte region [0x60e00006fe80,0x60e00006ff14)
      freed by thread T5 here:
          #0 0x7efd76961527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x564b46b6c4a0 in free_memory /data/src/10.3/mysys/safemalloc.c:279
          #2 0x564b46b6baa6 in sf_free /data/src/10.3/mysys/safemalloc.c:197
          #3 0x564b46b3c4a0 in my_free /data/src/10.3/mysys/my_malloc.c:222
          #4 0x564b45fa4d3c in info_remove_lock /data/src/10.3/storage/maria/ma_pagecache.c:2316
          #5 0x564b45fa9540 in make_lock_and_pin /data/src/10.3/storage/maria/ma_pagecache.c:2631
          #6 0x564b45fae770 in pagecache_read /data/src/10.3/storage/maria/ma_pagecache.c:3474
          #7 0x564b46067098 in _ma_scan_block_record /data/src/10.3/storage/maria/ma_blockrec.c:5508
          #8 0x564b460307b4 in maria_scan /data/src/10.3/storage/maria/ma_scan.c:54
          #9 0x564b45f4aff6 in ha_maria::rnd_next(unsigned char*) /data/src/10.3/storage/maria/ha_maria.cc:2482
          #10 0x564b45a496e5 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2813
          #11 0x564b45df6a0b in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:481
          #12 0x564b451b99c9 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:73
          #13 0x564b4543e801 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19415
          #14 0x564b4543c8cc in do_select /data/src/10.3/sql/sql_select.cc:18936
          #15 0x564b453d90e3 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4040
          #16 0x564b453d6d11 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3834
          #17 0x564b453da22a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4239
          #18 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #19 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #20 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #21 0x564b45137313 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3594
          #22 0x564b45135c07 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3322
          #23 0x564b45136ae2 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3500
          #24 0x564b45129d77 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1354
          #25 0x564b4512efdd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2294
          #26 0x564b45320398 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2954
          #27 0x564b45321df9 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3194
          #28 0x564b453355ad in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6288
          #29 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
       
      previously allocated by thread T5 here:
          #0 0x7efd7696173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x564b46b6b216 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x564b46b3bb93 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x564b45fa4c03 in info_add_lock /data/src/10.3/storage/maria/ma_pagecache.c:2302
          #4 0x564b45fa9598 in make_lock_and_pin /data/src/10.3/storage/maria/ma_pagecache.c:2646
          #5 0x564b45fae18e in pagecache_read /data/src/10.3/storage/maria/ma_pagecache.c:3425
          #6 0x564b46067098 in _ma_scan_block_record /data/src/10.3/storage/maria/ma_blockrec.c:5508
          #7 0x564b460307b4 in maria_scan /data/src/10.3/storage/maria/ma_scan.c:54
          #8 0x564b45f4aff6 in ha_maria::rnd_next(unsigned char*) /data/src/10.3/storage/maria/ha_maria.cc:2482
          #9 0x564b45a496e5 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2813
          #10 0x564b45df6a0b in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:481
          #11 0x564b451b99c9 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:73
          #12 0x564b4543e801 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19415
          #13 0x564b4543c8cc in do_select /data/src/10.3/sql/sql_select.cc:18936
          #14 0x564b453d90e3 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4040
          #15 0x564b453d6d11 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3834
          #16 0x564b453da22a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4239
          #17 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #18 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #19 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #20 0x564b45137313 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3594
          #21 0x564b45135c07 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3322
          #22 0x564b45136ae2 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3500
          #23 0x564b45129d77 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1354
          #24 0x564b4512efdd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2294
          #25 0x564b45320398 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2954
          #26 0x564b45321df9 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3194
          #27 0x564b453355ad in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6288
          #28 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
          #29 0x564b4531a582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1854
       
      Thread T5 created by T0 here:
          #0 0x7efd76930bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x564b461be6e7 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x564b450821f8 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x564b4509838a in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6573
          #4 0x564b45098a8f in create_new_thread /data/src/10.3/sql/mysqld.cc:6643
          #5 0x564b45099aa6 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6918
          #6 0x564b45097847 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6195
          #7 0x564b4508027f in main /data/src/10.3/sql/main.cc:25
          #8 0x7efd74a152b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_select.cc:17669 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool)
      Shadow bytes around the buggy address:
        0x0c1c80005f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
        0x0c1c80005f90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1c80005fa0: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
        0x0c1c80005fb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c80005fc0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
      =>0x0c1c80005fd0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80005fe0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
        0x0c1c80005ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
        0x0c1c80006000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c1c80006010: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80006020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23240==ABORTING
      

      Occasionally the same test case ends up with a different stack trace:

      10.4 7075d7fc ASAN

      ==23528==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00006c990 at pc 0x55d4f6243d70 bp 0x7fd6d053aa10 sp 0x7fd6d053aa08
      READ of size 1 at 0x60e00006c990 thread T5
          #0 0x55d4f6243d6f in Field::is_null(long long) const /data/src/10.4/sql/field.h:1166
          #1 0x55d4f623da10 in Protocol_text::store(Field*) /data/src/10.4/sql/protocol.cc:1248
          #2 0x55d4f6c9843a in Item_field::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:7067
          #3 0x55d4f6ca0bea in Item_ref::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:8094
          #4 0x55d4f6ca9160 in Item_direct_view_ref::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:8827
          #5 0x55d4f623a99b in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1004
          #6 0x55d4f63bd245 in select_send::send_data(List<Item>&) /data/src/10.4/sql/sql_class.cc:2982
          #7 0x55d4f65de3dc in end_send /data/src/10.4/sql/sql_select.cc:20574
          #8 0x55d4f65d2dde in do_select /data/src/10.4/sql/sql_select.cc:18887
          #9 0x55d4f656f6b1 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4094
          #10 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #11 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #12 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #13 0x55d4f64cb883 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6564
          #14 0x55d4f64b83f7 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3801
          #15 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #16 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #17 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #18 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #19 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #20 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #21 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #22 0x7fd6d9c9e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e00006c990 is located 112 bytes inside of 148-byte region [0x60e00006c920,0x60e00006c9b4)
      freed by thread T5 here:
          #0 0x7fd6dbb22527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x55d4f7d7f664 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x55d4f7d7ec6a in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x55d4f7d4f664 in my_free /data/src/10.4/mysys/my_malloc.c:221
          #4 0x55d4f7b5b555 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2558
          #5 0x55d4f7b38460 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1301
          #6 0x55d4f7b3af26 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1639
          #7 0x55d4f7b3be2e in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1800
          #8 0x55d4f6435190 in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3182
          #9 0x55d4f642bf5b in select_insert::prepare_eof() /data/src/10.4/sql/sql_insert.cc:3941
          #10 0x55d4f642d615 in select_insert::send_eof() /data/src/10.4/sql/sql_insert.cc:4034
          #11 0x55d4f656e689 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:3980
          #12 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #13 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #14 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #15 0x55d4f64be451 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4856
          #16 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #17 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #18 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #19 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #20 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #21 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #22 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7fd6dbb2273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55d4f7d7e3da in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x55d4f7d4ed57 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x55d4f7d4f1cc in my_realloc /data/src/10.4/mysys/my_malloc.c:154
          #4 0x55d4f7bb250d in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762
          #5 0x55d4f7b58698 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2241
          #6 0x55d4f7b38460 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1301
          #7 0x55d4f7b3af26 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1639
          #8 0x55d4f7b3be2e in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1800
          #9 0x55d4f6435190 in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3182
          #10 0x55d4f642bf5b in select_insert::prepare_eof() /data/src/10.4/sql/sql_insert.cc:3941
          #11 0x55d4f642d615 in select_insert::send_eof() /data/src/10.4/sql/sql_insert.cc:4034
          #12 0x55d4f656e689 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:3980
          #13 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #14 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #15 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #16 0x55d4f64be451 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4856
          #17 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #18 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #19 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #20 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #21 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #22 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #23 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7fd6dbaf1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55d4f73d4304 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55d4f62001e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55d4f6215a21 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6195
          #4 0x55d4f6216126 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6265
          #5 0x55d4f62164b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6363
          #6 0x55d4f6217102 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6521
          #7 0x55d4f621525c in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5853
          #8 0x55d4f61fe06f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fd6d9bd62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/field.h:1166 Field::is_null(long long) const
      Shadow bytes around the buggy address:
        0x0c1c800058e0: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
        0x0c1c800058f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
        0x0c1c80005900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c1c80005910: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80005920: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c1c80005930: fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80005940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c80005950: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
        0x0c1c80005960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
        0x0c1c80005970: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1c80005980: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23528==ABORTING
      

      It can also non-deterministically crash on a non-ASAN build (debug or non-debug):

      10.4 7075d7fc

      #3  <signal handler called>
      #4  0x00007f4d17b62cb4 in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      #5  0x000055b7f958050e in create_tmp_table (thd=0x7f4d00000b00, param=0x7f4d0001a2b0, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f4d000157c0, do_not_open=true, keep_row_order=false) at /data/src/10.4/sql/sql_select.cc:17665
      #6  0x000055b7f9603019 in select_unit::create_result_table (this=0x7f4d0001a270, thd_arg=0x7f4d00000b00, column_types=0x7f4d00016e50, is_union_distinct=false, options=2416188160, alias=0x7f4d000157c0, bit_fields_as_long=false, create_table=false, keep_row_order=false, hidden=0) at /data/src/10.4/sql/sql_union.cc:375
      #7  0x000055b7f94bc5fd in mysql_derived_prepare (thd=0x7f4d00000b00, lex=0x7f4d000048f0, derived=0x7f4d00015778) at /data/src/10.4/sql/sql_derived.cc:802
      #8  0x000055b7f94bb2ab in mysql_handle_single_derived (lex=0x7f4d000048f0, derived=0x7f4d00015778, phases=2) at /data/src/10.4/sql/sql_derived.cc:198
      #9  0x000055b7f96336b0 in TABLE_LIST::handle_derived (this=0x7f4d00015778, lex=0x7f4d000048f0, phases=2) at /data/src/10.4/sql/table.cc:8187
      #10 0x000055b7f94dfece in st_select_lex::handle_derived (this=0x7f4d000151f0, lex=0x7f4d000048f0, phases=2) at /data/src/10.4/sql/sql_lex.cc:4192
      #11 0x000055b7f955158d in JOIN::prepare (this=0x7f4d00019d00, tables_init=0x7f4d00015778, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f4d000151f0, unit_arg=0x7f4d000049b8) at /data/src/10.4/sql/sql_select.cc:1000
      #12 0x000055b7f955d47e in mysql_select (thd=0x7f4d00000b00, tables=0x7f4d00015778, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f4d00019cd8, unit=0x7f4d000049b8, select_lex=0x7f4d000151f0) at /data/src/10.4/sql/sql_select.cc:4271
      #13 0x000055b7f954ee49 in handle_select (thd=0x7f4d00000b00, lex=0x7f4d000048f0, result=0x7f4d00019cd8, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:385
      #14 0x000055b7f95189c3 in execute_sqlcom_select (thd=0x7f4d00000b00, all_tables=0x7f4d00015778) at /data/src/10.4/sql/sql_parse.cc:6564
      #15 0x000055b7f950dcda in mysql_execute_command (thd=0x7f4d00000b00) at /data/src/10.4/sql/sql_parse.cc:3801
      #16 0x000055b7f951c90e in mysql_parse (thd=0x7f4d00000b00, rawbuf=0x7f4d00015168 "SELECT * FROM v1", length=16, parser_state=0x7f4d11bdf210, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8117
      #17 0x000055b7f9508170 in dispatch_command (command=COM_QUERY, thd=0x7f4d00000b00, packet=0x7f4d0000a431 "SELECT * FROM v1", packet_length=16, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1803
      #18 0x000055b7f9506ac8 in do_command (thd=0x7f4d00000b00) at /data/src/10.4/sql/sql_parse.cc:1356
      #19 0x000055b7f9675e93 in do_handle_one_connection (connect=0x55b7fd52dc80) at /data/src/10.4/sql/sql_connect.cc:1398
      #20 0x000055b7f9675c04 in handle_one_connection (arg=0x55b7fd52dc80) at /data/src/10.4/sql/sql_connect.cc:1301
      #21 0x000055b7f9b5ef35 in pfs_spawn_thread (arg=0x55b7fd567260) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      #22 0x00007f4d1973c494 in start_thread (arg=0x7f4d11be0700) at pthread_create.c:333
      #23 0x00007f4d17b2293f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Not reproducible on 10.1.

      Here is also a somewhat different crash which I am getting non-deterministically on an unsimplified test case:

      10.2 22737998

      #3  <signal handler called>
      #4  0x0000559d6e91cba2 in Field::is_null_in_record (this=0x7f95800e0628, record=0x7f9574192528 "\377") at /data/src/10.2/sql/field.h:1137
      #5  0x0000559d6eb00c3e in Column_definition::Column_definition (this=0x7f95880285a8, thd=0x7f9588000b00, old_field=0x7f95800e0628, orig_field=0x7f95800e0628) at /data/src/10.2/sql/field.cc:10643
      #6  0x0000559d6e87bba4 in Create_field::Create_field (this=0x7f95880285a8, thd=0x7f9588000b00, old_field=0x7f95800e0628, orig_field=0x7f95800e0628) at /data/src/10.2/sql/field.h:3956
      #7  0x0000559d6e969016 in mysql_prepare_alter_table (thd=0x7f9588000b00, table=0x7f95800901c0, create_info=0x7f95e4135ea0, alter_info=0x7f95e4135df0, alter_ctx=0x7f95e4135290) at /data/src/10.2/sql/sql_table.cc:7756
      #8  0x0000559d6e96c97c in mysql_alter_table (thd=0x7f9588000b00, new_db=0x7f9588027f40 "test", new_name=0x0, create_info=0x7f95e4135ea0, table_list=0x7f9588027930, alter_info=0x7f95e4135df0, order_num=0, order=0x0, ignore=false) at /data/src/10.2/sql/sql_table.cc:9056
      #9  0x0000559d6e9e8af1 in Sql_cmd_alter_table::execute (this=0x7f95880281a8, thd=0x7f9588000b00) at /data/src/10.2/sql/sql_alter.cc:329
      #10 0x0000559d6e89f510 in mysql_execute_command (thd=0x7f9588000b00) at /data/src/10.2/sql/sql_parse.cc:6231
      #11 0x0000559d6e8a4371 in mysql_parse (thd=0x7f9588000b00, rawbuf=0x7f9588027668 "ALTER TABLE `table0_myisam_int_autoinc` /* 100301 WAIT 5 */ ADD FOREIGN KEY (`col_int`) REFERENCES table0_myisam_int_autoinc (`col_char_12_key`) ON UPDATE RESTRICT, LOCK=DEFAULT /* QNO 3304 CON_ID 15 "..., length=202, parser_state=0x7f95e4137250, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8018
      #12 0x0000559d6e891cab in dispatch_command (command=COM_QUERY, thd=0x7f9588000b00, packet=0x7f95880088b1 "ALTER TABLE `table0_myisam_int_autoinc` /*!100301 WAIT 5 */ ADD FOREIGN KEY (`col_int`) REFERENCES table0_myisam_int_autoinc (`col_char_12_key`) ON UPDATE RESTRICT, LOCK=DEFAULT /* QNO 3304 CON_ID 15 "..., packet_length=202, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1829
      #13 0x0000559d6e8905b6 in do_command (thd=0x7f9588000b00) at /data/src/10.2/sql/sql_parse.cc:1379
      #14 0x0000559d6e9e3788 in do_handle_one_connection (connect=0x559d719ef810) at /data/src/10.2/sql/sql_connect.cc:1336
      #15 0x0000559d6e9e3515 in handle_one_connection (arg=0x559d719ef810) at /data/src/10.2/sql/sql_connect.cc:1242
      #16 0x00007f95fb580494 in start_thread (arg=0x7f95e4138700) at pthread_create.c:333
      #17 0x00007f95f996693f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      When run on an ASAN build, it produces the ASAN failures described above.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                elenst Elena Stepanova
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: