Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18485

Server crash or AddressSanitizer: heap-buffer-overflow or heap-use-after-free in create_tmp_table or in Field::is_null upon select from a view with virtual columns in underlying table

Details

    Description

      --source include/have_partition.inc
       
      CREATE TABLE t1 (a INT, b INT, v INT AS (a) PERSISTENT, KEY(v)) ENGINE=MyISAM;
      CREATE VIEW v1 AS SELECT * FROM t1;
      INSERT INTO t1 (a,b) SELECT 1, 2;
       
      SELECT * FROM v1;
       
      # Cleanup
      DROP VIEW v1;
      DROP TABLE t1;
      

      10.2 22737998 ASAN

      ==23090==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000711b9 at pc 0x563356beb252 bp 0x7f017734e770 sp 0x7f017734e768
      READ of size 4 at 0x60e0000711b9 thread T5
          #0 0x563356beb251 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool) /data/src/10.2/sql/sql_select.cc:17115
          #1 0x563356d275c5 in select_union::create_result_table(THD*, List<Item>*, bool, unsigned long long, char const*, bool, bool, bool) /data/src/10.2/sql/sql_union.cc:183
          #2 0x563356a6ee63 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.2/sql/sql_derived.cc:804
          #3 0x563356a6bdeb in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.2/sql/sql_derived.cc:197
          #4 0x563356d957f4 in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/table.cc:7986
          #5 0x563356ac3110 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.2/sql/sql_lex.cc:3921
          #6 0x563356b785bf in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:716
          #7 0x563356b968fd in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3796
          #8 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #9 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #10 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #11 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #12 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #13 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #14 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #15 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
          #16 0x56335783d4ed in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #17 0x7f01837c4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #18 0x7f0181baa93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e0000711b9 is located 7 bytes to the left of 148-byte region [0x60e0000711c0,0x60e000071254)
      freed by thread T5 here:
          #0 0x7f0183a2e527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x56335815f5bb in free_memory /data/src/10.2/mysys/safemalloc.c:279
          #2 0x56335815ebc1 in sf_free /data/src/10.2/mysys/safemalloc.c:197
          #3 0x56335812de50 in my_free /data/src/10.2/mysys/my_malloc.c:218
          #4 0x563357630f5a in info_remove_lock /data/src/10.2/storage/maria/ma_pagecache.c:2316
          #5 0x563357635395 in make_lock_and_pin /data/src/10.2/storage/maria/ma_pagecache.c:2631
          #6 0x5633576386df in pagecache_unlock_by_link /data/src/10.2/storage/maria/ma_pagecache.c:3091
          #7 0x5633576a9460 in _ma_unpin_all_pages /data/src/10.2/storage/maria/ma_key_recover.c:71
          #8 0x5633576df025 in write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3431
          #9 0x5633576dfdd7 in allocate_and_write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3565
          #10 0x5633576e00aa in _ma_write_init_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3605
          #11 0x56335770f694 in maria_write /data/src/10.2/storage/maria/ma_write.c:157
          #12 0x5633575d3d6f in ha_maria::write_row(unsigned char*) /data/src/10.2/storage/maria/ha_maria.cc:1290
          #13 0x563356c3b329 in handler::ha_write_tmp_row(unsigned char*) /data/src/10.2/sql/sql_class.h:5844
          #14 0x563356c6400f in schema_table_store_record(THD*, TABLE*) /data/src/10.2/sql/sql_show.cc:3616
          #15 0x563356c4ba48 in show_plugins /data/src/10.2/sql/sql_show.cc:277
          #16 0x563356b23c7e in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.2/sql/sql_plugin.cc:2396
          #17 0x563356c4bbc8 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.2/sql/sql_show.cc:286
          #18 0x563356c9d33a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.2/sql/sql_show.cc:8382
          #19 0x563356b9545d in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3587
          #20 0x563356b9372f in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
          #21 0x563356b96b17 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3818
          #22 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #23 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #24 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #25 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #26 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #27 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #28 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #29 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
       
      previously allocated by thread T5 here:
          #0 0x7f0183a2e73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x56335815e331 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x56335812d4b7 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x563357630e2d in info_add_lock /data/src/10.2/storage/maria/ma_pagecache.c:2302
          #4 0x5633576352fd in make_lock_and_pin /data/src/10.2/storage/maria/ma_pagecache.c:2608
          #5 0x5633576397bf in pagecache_read /data/src/10.2/storage/maria/ma_pagecache.c:3425
          #6 0x5633576d3ce6 in get_head_or_tail_page /data/src/10.2/storage/maria/ma_blockrec.c:1782
          #7 0x5633576df9af in allocate_and_write_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3544
          #8 0x5633576e00aa in _ma_write_init_block_record /data/src/10.2/storage/maria/ma_blockrec.c:3605
          #9 0x56335770f694 in maria_write /data/src/10.2/storage/maria/ma_write.c:157
          #10 0x5633575d3d6f in ha_maria::write_row(unsigned char*) /data/src/10.2/storage/maria/ha_maria.cc:1290
          #11 0x563356c3b329 in handler::ha_write_tmp_row(unsigned char*) /data/src/10.2/sql/sql_class.h:5844
          #12 0x563356c6400f in schema_table_store_record(THD*, TABLE*) /data/src/10.2/sql/sql_show.cc:3616
          #13 0x563356c4ba48 in show_plugins /data/src/10.2/sql/sql_show.cc:277
          #14 0x563356b23c7e in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.2/sql/sql_plugin.cc:2396
          #15 0x563356c4bbc8 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.2/sql/sql_show.cc:286
          #16 0x563356c9d33a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.2/sql/sql_show.cc:8382
          #17 0x563356b9545d in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3587
          #18 0x563356b9372f in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
          #19 0x563356b96b17 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3818
          #20 0x563356b75af2 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
          #21 0x563356af8860 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6484
          #22 0x563356ae5549 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3490
          #23 0x563356b0154b in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
          #24 0x563356adbf38 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
          #25 0x563356ad8f57 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #26 0x563356e1fedf in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
          #27 0x563356e1f8f4 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
          #28 0x56335783d4ed in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #29 0x7f01837c4493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f01839fdbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56335783dab5 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
          #2 0x5633568d567e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x5633568ea61b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
          #4 0x5633568ead20 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
          #5 0x5633568ebd37 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
          #6 0x5633568e9b70 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
          #7 0x5633568d3a1f in main /data/src/10.2/sql/main.cc:25
          #8 0x7f0181ae22b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/sql_select.cc:17115 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, char const*, bool, bool)
      Shadow bytes around the buggy address:
        0x0c1c800061e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c800061f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80006200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006210: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
        0x0c1c80006220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      =>0x0c1c80006230: fa fa fa fa fa fa fa[fa]fd fd fd fd fd fd fd fd
        0x0c1c80006240: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80006250: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006260: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80006270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80006280: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23090==ABORTING
      

      10.3 7293ce0e

      ==23240==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00006fe81 at pc 0x564b45431046 bp 0x7efd6a11fd10 sp 0x7efd6a11fd08
      READ of size 4 at 0x60e00006fe81 thread T5
          #0 0x564b45431045 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.3/sql/sql_select.cc:17669
          #1 0x564b45577ebb in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.3/sql/sql_union.cc:375
          #2 0x564b452753c8 in mysql_derived_prepare(THD*, LEX*, TABLE_LIST*) /data/src/10.3/sql/sql_derived.cc:801
          #3 0x564b45272444 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /data/src/10.3/sql/sql_derived.cc:197
          #4 0x564b455f2e7a in TABLE_LIST::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/table.cc:8180
          #5 0x564b452cfbf2 in st_select_lex::handle_derived(LEX*, unsigned int) /data/src/10.3/sql/sql_lex.cc:4103
          #6 0x564b453ba6c5 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.3/sql/sql_select.cc:1000
          #7 0x564b453da007 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4217
          #8 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #9 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #10 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #11 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
          #12 0x564b4531a582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1854
          #13 0x564b45317594 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1396
          #14 0x564b45689e97 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
          #15 0x564b456898a3 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1309
          #16 0x564b461be11f in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
          #17 0x7efd766f7493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #18 0x7efd74add93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e00006fe81 is located 1 bytes inside of 148-byte region [0x60e00006fe80,0x60e00006ff14)
      freed by thread T5 here:
          #0 0x7efd76961527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x564b46b6c4a0 in free_memory /data/src/10.3/mysys/safemalloc.c:279
          #2 0x564b46b6baa6 in sf_free /data/src/10.3/mysys/safemalloc.c:197
          #3 0x564b46b3c4a0 in my_free /data/src/10.3/mysys/my_malloc.c:222
          #4 0x564b45fa4d3c in info_remove_lock /data/src/10.3/storage/maria/ma_pagecache.c:2316
          #5 0x564b45fa9540 in make_lock_and_pin /data/src/10.3/storage/maria/ma_pagecache.c:2631
          #6 0x564b45fae770 in pagecache_read /data/src/10.3/storage/maria/ma_pagecache.c:3474
          #7 0x564b46067098 in _ma_scan_block_record /data/src/10.3/storage/maria/ma_blockrec.c:5508
          #8 0x564b460307b4 in maria_scan /data/src/10.3/storage/maria/ma_scan.c:54
          #9 0x564b45f4aff6 in ha_maria::rnd_next(unsigned char*) /data/src/10.3/storage/maria/ha_maria.cc:2482
          #10 0x564b45a496e5 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2813
          #11 0x564b45df6a0b in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:481
          #12 0x564b451b99c9 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:73
          #13 0x564b4543e801 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19415
          #14 0x564b4543c8cc in do_select /data/src/10.3/sql/sql_select.cc:18936
          #15 0x564b453d90e3 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4040
          #16 0x564b453d6d11 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3834
          #17 0x564b453da22a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4239
          #18 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #19 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #20 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #21 0x564b45137313 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3594
          #22 0x564b45135c07 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3322
          #23 0x564b45136ae2 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3500
          #24 0x564b45129d77 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1354
          #25 0x564b4512efdd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2294
          #26 0x564b45320398 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2954
          #27 0x564b45321df9 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3194
          #28 0x564b453355ad in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6288
          #29 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
       
      previously allocated by thread T5 here:
          #0 0x7efd7696173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x564b46b6b216 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
          #2 0x564b46b3bb93 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
          #3 0x564b45fa4c03 in info_add_lock /data/src/10.3/storage/maria/ma_pagecache.c:2302
          #4 0x564b45fa9598 in make_lock_and_pin /data/src/10.3/storage/maria/ma_pagecache.c:2646
          #5 0x564b45fae18e in pagecache_read /data/src/10.3/storage/maria/ma_pagecache.c:3425
          #6 0x564b46067098 in _ma_scan_block_record /data/src/10.3/storage/maria/ma_blockrec.c:5508
          #7 0x564b460307b4 in maria_scan /data/src/10.3/storage/maria/ma_scan.c:54
          #8 0x564b45f4aff6 in ha_maria::rnd_next(unsigned char*) /data/src/10.3/storage/maria/ha_maria.cc:2482
          #9 0x564b45a496e5 in handler::ha_rnd_next(unsigned char*) /data/src/10.3/sql/handler.cc:2813
          #10 0x564b45df6a0b in rr_sequential(READ_RECORD*) /data/src/10.3/sql/records.cc:481
          #11 0x564b451b99c9 in READ_RECORD::read_record() /data/src/10.3/sql/records.h:73
          #12 0x564b4543e801 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19415
          #13 0x564b4543c8cc in do_select /data/src/10.3/sql/sql_select.cc:18936
          #14 0x564b453d90e3 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4040
          #15 0x564b453d6d11 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3834
          #16 0x564b453da22a in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4239
          #17 0x564b453b4d44 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:385
          #18 0x564b45337612 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6551
          #19 0x564b45325a83 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3772
          #20 0x564b45137313 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3594
          #21 0x564b45135c07 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.3/sql/sp_head.cc:3322
          #22 0x564b45136ae2 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.3/sql/sp_head.cc:3500
          #23 0x564b45129d77 in sp_head::execute(THD*, bool) /data/src/10.3/sql/sp_head.cc:1354
          #24 0x564b4512efdd in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.3/sql/sp_head.cc:2294
          #25 0x564b45320398 in do_execute_sp /data/src/10.3/sql/sql_parse.cc:2954
          #26 0x564b45321df9 in Sql_cmd_call::execute(THD*) /data/src/10.3/sql/sql_parse.cc:3194
          #27 0x564b453355ad in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:6288
          #28 0x564b453404aa in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:8095
          #29 0x564b4531a582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1854
       
      Thread T5 created by T0 here:
          #0 0x7efd76930bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x564b461be6e7 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
          #2 0x564b450821f8 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
          #3 0x564b4509838a in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6573
          #4 0x564b45098a8f in create_new_thread /data/src/10.3/sql/mysqld.cc:6643
          #5 0x564b45099aa6 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6918
          #6 0x564b45097847 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6195
          #7 0x564b4508027f in main /data/src/10.3/sql/main.cc:25
          #8 0x7efd74a152b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/sql_select.cc:17669 create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool)
      Shadow bytes around the buggy address:
        0x0c1c80005f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
        0x0c1c80005f90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1c80005fa0: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
        0x0c1c80005fb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c80005fc0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
      =>0x0c1c80005fd0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80005fe0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
        0x0c1c80005ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
        0x0c1c80006000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c1c80006010: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80006020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23240==ABORTING
      

      Occasionally the same test case ends up with a different stack trace:

      10.4 7075d7fc ASAN

      ==23528==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00006c990 at pc 0x55d4f6243d70 bp 0x7fd6d053aa10 sp 0x7fd6d053aa08
      READ of size 1 at 0x60e00006c990 thread T5
          #0 0x55d4f6243d6f in Field::is_null(long long) const /data/src/10.4/sql/field.h:1166
          #1 0x55d4f623da10 in Protocol_text::store(Field*) /data/src/10.4/sql/protocol.cc:1248
          #2 0x55d4f6c9843a in Item_field::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:7067
          #3 0x55d4f6ca0bea in Item_ref::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:8094
          #4 0x55d4f6ca9160 in Item_direct_view_ref::send(Protocol*, st_value*) /data/src/10.4/sql/item.cc:8827
          #5 0x55d4f623a99b in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1004
          #6 0x55d4f63bd245 in select_send::send_data(List<Item>&) /data/src/10.4/sql/sql_class.cc:2982
          #7 0x55d4f65de3dc in end_send /data/src/10.4/sql/sql_select.cc:20574
          #8 0x55d4f65d2dde in do_select /data/src/10.4/sql/sql_select.cc:18887
          #9 0x55d4f656f6b1 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4094
          #10 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #11 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #12 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #13 0x55d4f64cb883 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6564
          #14 0x55d4f64b83f7 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3801
          #15 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #16 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #17 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #18 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #19 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #20 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #21 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #22 0x7fd6d9c9e93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e00006c990 is located 112 bytes inside of 148-byte region [0x60e00006c920,0x60e00006c9b4)
      freed by thread T5 here:
          #0 0x7fd6dbb22527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x55d4f7d7f664 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x55d4f7d7ec6a in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x55d4f7d4f664 in my_free /data/src/10.4/mysys/my_malloc.c:221
          #4 0x55d4f7b5b555 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2558
          #5 0x55d4f7b38460 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1301
          #6 0x55d4f7b3af26 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1639
          #7 0x55d4f7b3be2e in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1800
          #8 0x55d4f6435190 in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3182
          #9 0x55d4f642bf5b in select_insert::prepare_eof() /data/src/10.4/sql/sql_insert.cc:3941
          #10 0x55d4f642d615 in select_insert::send_eof() /data/src/10.4/sql/sql_insert.cc:4034
          #11 0x55d4f656e689 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:3980
          #12 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #13 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #14 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #15 0x55d4f64be451 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4856
          #16 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #17 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #18 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #19 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #20 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #21 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #22 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7fd6dbb2273f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55d4f7d7e3da in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x55d4f7d4ed57 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x55d4f7d4f1cc in my_realloc /data/src/10.4/mysys/my_malloc.c:154
          #4 0x55d4f7bb250d in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762
          #5 0x55d4f7b58698 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2241
          #6 0x55d4f7b38460 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1301
          #7 0x55d4f7b3af26 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1639
          #8 0x55d4f7b3be2e in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1800
          #9 0x55d4f6435190 in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.h:3182
          #10 0x55d4f642bf5b in select_insert::prepare_eof() /data/src/10.4/sql/sql_insert.cc:3941
          #11 0x55d4f642d615 in select_insert::send_eof() /data/src/10.4/sql/sql_insert.cc:4034
          #12 0x55d4f656e689 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:3980
          #13 0x55d4f656d2df in JOIN::exec() /data/src/10.4/sql/sql_select.cc:3888
          #14 0x55d4f65707a1 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4293
          #15 0x55d4f654a1a1 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:385
          #16 0x55d4f64be451 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4856
          #17 0x55d4f64d41be in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8117
          #18 0x55d4f64ac582 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1803
          #19 0x55d4f64a9625 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1356
          #20 0x55d4f68255ec in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1398
          #21 0x55d4f6824fe5 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1301
          #22 0x55d4f73d3d3c in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #23 0x7fd6db8b8493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7fd6dbaf1bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55d4f73d4304 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55d4f62001e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55d4f6215a21 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6195
          #4 0x55d4f6216126 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6265
          #5 0x55d4f62164b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6363
          #6 0x55d4f6217102 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6521
          #7 0x55d4f621525c in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5853
          #8 0x55d4f61fe06f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fd6d9bd62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/field.h:1166 Field::is_null(long long) const
      Shadow bytes around the buggy address:
        0x0c1c800058e0: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
        0x0c1c800058f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
        0x0c1c80005900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c1c80005910: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
        0x0c1c80005920: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c1c80005930: fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c1c80005940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c80005950: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
        0x0c1c80005960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
        0x0c1c80005970: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1c80005980: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23528==ABORTING
      

      It can also non-deterministically crash on a non-ASAN build (debug or non-debug):

      10.4 7075d7fc

      #3  <signal handler called>
      #4  0x00007f4d17b62cb4 in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
      #5  0x000055b7f958050e in create_tmp_table (thd=0x7f4d00000b00, param=0x7f4d0001a2b0, fields=..., group=0x0, distinct=false, save_sum_fields=true, select_options=2416188160, rows_limit=18446744073709551615, table_alias=0x7f4d000157c0, do_not_open=true, keep_row_order=false) at /data/src/10.4/sql/sql_select.cc:17665
      #6  0x000055b7f9603019 in select_unit::create_result_table (this=0x7f4d0001a270, thd_arg=0x7f4d00000b00, column_types=0x7f4d00016e50, is_union_distinct=false, options=2416188160, alias=0x7f4d000157c0, bit_fields_as_long=false, create_table=false, keep_row_order=false, hidden=0) at /data/src/10.4/sql/sql_union.cc:375
      #7  0x000055b7f94bc5fd in mysql_derived_prepare (thd=0x7f4d00000b00, lex=0x7f4d000048f0, derived=0x7f4d00015778) at /data/src/10.4/sql/sql_derived.cc:802
      #8  0x000055b7f94bb2ab in mysql_handle_single_derived (lex=0x7f4d000048f0, derived=0x7f4d00015778, phases=2) at /data/src/10.4/sql/sql_derived.cc:198
      #9  0x000055b7f96336b0 in TABLE_LIST::handle_derived (this=0x7f4d00015778, lex=0x7f4d000048f0, phases=2) at /data/src/10.4/sql/table.cc:8187
      #10 0x000055b7f94dfece in st_select_lex::handle_derived (this=0x7f4d000151f0, lex=0x7f4d000048f0, phases=2) at /data/src/10.4/sql/sql_lex.cc:4192
      #11 0x000055b7f955158d in JOIN::prepare (this=0x7f4d00019d00, tables_init=0x7f4d00015778, wild_num=1, conds_init=0x0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7f4d000151f0, unit_arg=0x7f4d000049b8) at /data/src/10.4/sql/sql_select.cc:1000
      #12 0x000055b7f955d47e in mysql_select (thd=0x7f4d00000b00, tables=0x7f4d00015778, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7f4d00019cd8, unit=0x7f4d000049b8, select_lex=0x7f4d000151f0) at /data/src/10.4/sql/sql_select.cc:4271
      #13 0x000055b7f954ee49 in handle_select (thd=0x7f4d00000b00, lex=0x7f4d000048f0, result=0x7f4d00019cd8, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:385
      #14 0x000055b7f95189c3 in execute_sqlcom_select (thd=0x7f4d00000b00, all_tables=0x7f4d00015778) at /data/src/10.4/sql/sql_parse.cc:6564
      #15 0x000055b7f950dcda in mysql_execute_command (thd=0x7f4d00000b00) at /data/src/10.4/sql/sql_parse.cc:3801
      #16 0x000055b7f951c90e in mysql_parse (thd=0x7f4d00000b00, rawbuf=0x7f4d00015168 "SELECT * FROM v1", length=16, parser_state=0x7f4d11bdf210, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8117
      #17 0x000055b7f9508170 in dispatch_command (command=COM_QUERY, thd=0x7f4d00000b00, packet=0x7f4d0000a431 "SELECT * FROM v1", packet_length=16, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1803
      #18 0x000055b7f9506ac8 in do_command (thd=0x7f4d00000b00) at /data/src/10.4/sql/sql_parse.cc:1356
      #19 0x000055b7f9675e93 in do_handle_one_connection (connect=0x55b7fd52dc80) at /data/src/10.4/sql/sql_connect.cc:1398
      #20 0x000055b7f9675c04 in handle_one_connection (arg=0x55b7fd52dc80) at /data/src/10.4/sql/sql_connect.cc:1301
      #21 0x000055b7f9b5ef35 in pfs_spawn_thread (arg=0x55b7fd567260) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      #22 0x00007f4d1973c494 in start_thread (arg=0x7f4d11be0700) at pthread_create.c:333
      #23 0x00007f4d17b2293f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Not reproducible on 10.1.

      Here is also a somewhat different crash which I am getting non-deterministically on an unsimplified test case:

      10.2 22737998

      #3  <signal handler called>
      #4  0x0000559d6e91cba2 in Field::is_null_in_record (this=0x7f95800e0628, record=0x7f9574192528 "\377") at /data/src/10.2/sql/field.h:1137
      #5  0x0000559d6eb00c3e in Column_definition::Column_definition (this=0x7f95880285a8, thd=0x7f9588000b00, old_field=0x7f95800e0628, orig_field=0x7f95800e0628) at /data/src/10.2/sql/field.cc:10643
      #6  0x0000559d6e87bba4 in Create_field::Create_field (this=0x7f95880285a8, thd=0x7f9588000b00, old_field=0x7f95800e0628, orig_field=0x7f95800e0628) at /data/src/10.2/sql/field.h:3956
      #7  0x0000559d6e969016 in mysql_prepare_alter_table (thd=0x7f9588000b00, table=0x7f95800901c0, create_info=0x7f95e4135ea0, alter_info=0x7f95e4135df0, alter_ctx=0x7f95e4135290) at /data/src/10.2/sql/sql_table.cc:7756
      #8  0x0000559d6e96c97c in mysql_alter_table (thd=0x7f9588000b00, new_db=0x7f9588027f40 "test", new_name=0x0, create_info=0x7f95e4135ea0, table_list=0x7f9588027930, alter_info=0x7f95e4135df0, order_num=0, order=0x0, ignore=false) at /data/src/10.2/sql/sql_table.cc:9056
      #9  0x0000559d6e9e8af1 in Sql_cmd_alter_table::execute (this=0x7f95880281a8, thd=0x7f9588000b00) at /data/src/10.2/sql/sql_alter.cc:329
      #10 0x0000559d6e89f510 in mysql_execute_command (thd=0x7f9588000b00) at /data/src/10.2/sql/sql_parse.cc:6231
      #11 0x0000559d6e8a4371 in mysql_parse (thd=0x7f9588000b00, rawbuf=0x7f9588027668 "ALTER TABLE `table0_myisam_int_autoinc` /* 100301 WAIT 5 */ ADD FOREIGN KEY (`col_int`) REFERENCES table0_myisam_int_autoinc (`col_char_12_key`) ON UPDATE RESTRICT, LOCK=DEFAULT /* QNO 3304 CON_ID 15 "..., length=202, parser_state=0x7f95e4137250, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:8018
      #12 0x0000559d6e891cab in dispatch_command (command=COM_QUERY, thd=0x7f9588000b00, packet=0x7f95880088b1 "ALTER TABLE `table0_myisam_int_autoinc` /*!100301 WAIT 5 */ ADD FOREIGN KEY (`col_int`) REFERENCES table0_myisam_int_autoinc (`col_char_12_key`) ON UPDATE RESTRICT, LOCK=DEFAULT /* QNO 3304 CON_ID 15 "..., packet_length=202, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1829
      #13 0x0000559d6e8905b6 in do_command (thd=0x7f9588000b00) at /data/src/10.2/sql/sql_parse.cc:1379
      #14 0x0000559d6e9e3788 in do_handle_one_connection (connect=0x559d719ef810) at /data/src/10.2/sql/sql_connect.cc:1336
      #15 0x0000559d6e9e3515 in handle_one_connection (arg=0x559d719ef810) at /data/src/10.2/sql/sql_connect.cc:1242
      #16 0x00007f95fb580494 in start_thread (arg=0x7f95e4138700) at pthread_create.c:333
      #17 0x00007f95f996693f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      When run on an ASAN build, it produces the ASAN failures described above.

      Attachments

        Issue Links

          Activity

            Another test case with a somewhat different stack trace, seems to be the same failure still.

            Run with --repeat=N if it doesn't fail right away. On a reason unknown to me, it's non-deterministic, even with ASAN.

            SET NAMES utf8;
            CREATE TEMPORARY TABLE t (u TIMESTAMP DEFAULT 0, a INT, b INT GENERATED ALWAYS AS (a) PERSISTENT) ENGINE=MyISAM;
            INSERT INTO t () VALUES () ;
            ALTER TABLE t ADD KEY (b);
            --error ER_KEY_COLUMN_DOES_NOT_EXITS
            ALTER TABLE t CHANGE IF EXISTS f1 f2 SERIAL;
            SELECT * FROM t INTO OUTFILE 'load.data';
            LOAD DATA INFILE 'load.data' REPLACE INTO TABLE t;
            ALTER TABLE t ADD KEY (f3);
             
            # Cleanup
            --let $datadir= `SELECT @@datadir`
            --remove_file $datadir/test/load.data
            

            10.4 5b4d6595

            #3  <signal handler called>
            #4  0x0000558fc9da3fbd in my_timestamp_from_binary (tm=0x7f6449598bf0, ptr=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>, dec=0) at /data/src/10.4/sql/compat56.cc:407
            #5  0x0000558fc9dbb305 in Field_timestampf::get_timestamp (this=0x7f64380428e0, pos=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>, sec_part=0x7f6449598c50) at /data/src/10.4/sql/field.cc:5559
            #6  0x0000558fc9dd76b3 in Field_timestamp::get_timestamp (this=0x7f64380428e0, sec_part=0x7f6449598c50) at /data/src/10.4/sql/field.h:2790
            #7  0x0000558fc9db9c15 in Field_timestamp::get_date (this=0x7f64380428e0, ltime=0x7f6449598cd0, fuzzydate=...) at /data/src/10.4/sql/field.cc:5295
            #8  0x0000558fc9db96e0 in Field_timestamp::val_str (this=0x7f64380428e0, val_buffer=0x7f6449598dc0, val_ptr=0x7f6449598dc0) at /data/src/10.4/sql/field.cc:5220
            #9  0x0000558fc998e7a9 in Field::val_str (this=0x7f64380428e0, str=0x7f6449598dc0) at /data/src/10.4/sql/field.h:834
            #10 0x0000558fc9dd4cb9 in Field::val_str (this=0x7f64380428e0, str=0x7f6449598dc0, new_ptr=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>) at /data/src/10.4/sql/field.h:1336
            #11 0x0000558fc9dd14f3 in Column_definition::Column_definition (this=0x7f6438015df0, thd=0x7f6438000b00, old_field=0x7f64380428e0, orig_field=0x7f64380428e0) at /data/src/10.4/sql/field.cc:10782
            #12 0x0000558fc9a6cf6c in Create_field::Create_field (this=0x7f6438015df0, thd=0x7f6438000b00, old_field=0x7f64380428e0, orig_field=0x7f64380428e0) at /data/src/10.4/sql/field.h:4939
            #13 0x0000558fc9b8de4b in mysql_prepare_alter_table (thd=0x7f6438000b00, table=0x7f643812e010, create_info=0x7f644959acd0, alter_info=0x7f644959ac10, alter_ctx=0x7f644959a0e0) at /data/src/10.4/sql/sql_table.cc:8022
            #14 0x0000558fc9b92388 in mysql_alter_table (thd=0x7f6438000b00, new_db=0x7f6438005290, new_name=0x7f6438005690, create_info=0x7f644959acd0, table_list=0x7f6438015590, alter_info=0x7f644959ac10, order_num=0, order=0x0, ignore=false) at /data/src/10.4/sql/sql_table.cc:9498
            #15 0x0000558fc9c1ff20 in Sql_cmd_alter_table::execute (this=0x7f6438015d08, thd=0x7f6438000b00) at /data/src/10.4/sql/sql_alter.cc:499
            #16 0x0000558fc9ab2cc6 in mysql_execute_command (thd=0x7f6438000b00) at /data/src/10.4/sql/sql_parse.cc:6346
            #17 0x0000558fc9ab7e6e in mysql_parse (thd=0x7f6438000b00, rawbuf=0x7f64380154a8 "ALTER TABLE t ADD KEY (f3)", length=26, parser_state=0x7f644959c180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8157
            #18 0x0000558fc9aa355c in dispatch_command (command=COM_QUERY, thd=0x7f6438000b00, packet=0x7f643800a761 "ALTER TABLE t ADD KEY (f3)", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
            #19 0x0000558fc9aa1d30 in do_command (thd=0x7f6438000b00) at /data/src/10.4/sql/sql_parse.cc:1358
            #20 0x0000558fc9c19e35 in do_handle_one_connection (connect=0x558fcdafab50) at /data/src/10.4/sql/sql_connect.cc:1399
            #21 0x0000558fc9c19ba6 in handle_one_connection (arg=0x558fcdafab50) at /data/src/10.4/sql/sql_connect.cc:1302
            #22 0x0000558fca110315 in pfs_spawn_thread (arg=0x558fcdbed130) at /data/src/10.4/storage/perfschema/pfs.cc:1862
            #23 0x00007f64510f9494 in start_thread (arg=0x7f644959d700) at pthread_create.c:333
            #24 0x00007f644f4df93f in clone () from /lib/x86_64-linux-gnu/libc.so.6
            

            10.4 ASAN 5b4d6595

            ==763==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001212d4 at pc 0x5614f2ee63f6 bp 0x7fe8aacd6200 sp 0x7fe8aacd61f8
            READ of size 1 at 0x60e0001212d4 thread T5
                #0 0x5614f2ee63f5 in my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int) /data/src/10.4/sql/compat56.cc:407
                #1 0x5614f2f2797e in Field_timestampf::get_timestamp(unsigned char const*, unsigned long*) const /data/src/10.4/sql/field.cc:5559
                #2 0x5614f2f73542 in Field_timestamp::get_timestamp(unsigned long*) const /data/src/10.4/sql/field.h:2790
                #3 0x5614f2f236d9 in Field_timestamp::get_date(st_mysql_time*, date_mode_t) /data/src/10.4/sql/field.cc:5295
                #4 0x5614f2f22839 in Field_timestamp::val_str(String*, String*) /data/src/10.4/sql/field.cc:5220
                #5 0x5614f2593351 in Field::val_str(String*) /data/src/10.4/sql/field.h:834
                #6 0x5614f2f6db21 in Field::val_str(String*, unsigned char const*) /data/src/10.4/sql/field.h:1336
                #7 0x5614f2f6605a in Column_definition::Column_definition(THD*, Field*, Field*) /data/src/10.4/sql/field.cc:10782
                #8 0x5614f27887eb in Create_field::Create_field(THD*, Field*, Field*) /data/src/10.4/sql/field.h:4939
                #9 0x5614f2a4160e in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/src/10.4/sql/sql_table.cc:8022
                #10 0x5614f2a4a8ee in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9498
                #11 0x5614f2b9e9fa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499
                #12 0x5614f282093b in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6346
                #13 0x5614f282b33c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
                #14 0x5614f2803545 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
                #15 0x5614f2800346 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
                #16 0x5614f2b8f2e9 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
                #17 0x5614f2b8ece2 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
                #18 0x5614f3757714 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
                #19 0x7fe8b605a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
                #20 0x7fe8b444093e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
             
            0x60e0001212d4 is located 116 bytes inside of 148-byte region [0x60e000121260,0x60e0001212f4)
            freed by thread T5 here:
                #0 0x7fe8b62c4527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
                #1 0x5614f4108371 in free_memory /data/src/10.4/mysys/safemalloc.c:279
                #2 0x5614f4107977 in sf_free /data/src/10.4/mysys/safemalloc.c:197
                #3 0x5614f40d83c0 in my_free /data/src/10.4/mysys/my_malloc.c:222
                #4 0x5614f353944c in info_remove_lock /data/src/10.4/storage/maria/ma_pagecache.c:2316
                #5 0x5614f353dc50 in make_lock_and_pin /data/src/10.4/storage/maria/ma_pagecache.c:2631
                #6 0x5614f3541619 in pagecache_unlock_by_link /data/src/10.4/storage/maria/ma_pagecache.c:3091
                #7 0x5614f35b5306 in _ma_unpin_all_pages /data/src/10.4/storage/maria/ma_key_recover.c:71
                #8 0x5614f35ecb28 in write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3432
                #9 0x5614f35eda3b in allocate_and_write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3566
                #10 0x5614f35edd0e in _ma_write_init_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3606
                #11 0x5614f361f85b in maria_write /data/src/10.4/storage/maria/ma_write.c:157
                #12 0x5614f34d47b1 in ha_maria::write_row(unsigned char*) /data/src/10.4/storage/maria/ha_maria.cc:1326
                #13 0x5614f29787ad in handler::ha_write_tmp_row(unsigned char*) /data/src/10.4/sql/sql_class.h:6610
                #14 0x5614f29a598d in schema_table_store_record(THD*, TABLE*) /data/src/10.4/sql/sql_show.cc:3870
                #15 0x5614f298b388 in show_plugins /data/src/10.4/sql/sql_show.cc:304
                #16 0x5614f284d569 in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.4/sql/sql_plugin.cc:2432
                #17 0x5614f298b508 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.4/sql/sql_show.cc:313
                #18 0x5614f29e0c6a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.4/sql/sql_show.cc:8840
                #19 0x5614f28c9a65 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4317
                #20 0x5614f28c7b4f in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4142
                #21 0x5614f28cb62c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4574
                #22 0x5614f28a1d0e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:423
                #23 0x5614f2822a49 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6604
                #24 0x5614f280f5d2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3841
                #25 0x5614f26006ac in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3592
                #26 0x5614f25fee39 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3320
                #27 0x5614f25ffdce in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3498
                #28 0x5614f25f2c1a in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1342
                #29 0x5614f25f7fb5 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2284
             
            previously allocated by thread T5 here:
                #0 0x7fe8b62c473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
                #1 0x5614f41070e7 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
                #2 0x5614f40d79e2 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
                #3 0x5614f3539313 in info_add_lock /data/src/10.4/storage/maria/ma_pagecache.c:2302
                #4 0x5614f353dbb8 in make_lock_and_pin /data/src/10.4/storage/maria/ma_pagecache.c:2608
                #5 0x5614f354289e in pagecache_read /data/src/10.4/storage/maria/ma_pagecache.c:3425
                #6 0x5614f35e0df9 in get_head_or_tail_page /data/src/10.4/storage/maria/ma_blockrec.c:1782
                #7 0x5614f35ed54d in allocate_and_write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3545
                #8 0x5614f35edd0e in _ma_write_init_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3606
                #9 0x5614f361f85b in maria_write /data/src/10.4/storage/maria/ma_write.c:157
                #10 0x5614f34d47b1 in ha_maria::write_row(unsigned char*) /data/src/10.4/storage/maria/ha_maria.cc:1326
                #11 0x5614f29787ad in handler::ha_write_tmp_row(unsigned char*) /data/src/10.4/sql/sql_class.h:6610
                #12 0x5614f29a598d in schema_table_store_record(THD*, TABLE*) /data/src/10.4/sql/sql_show.cc:3870
                #13 0x5614f298b388 in show_plugins /data/src/10.4/sql/sql_show.cc:304
                #14 0x5614f284d569 in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.4/sql/sql_plugin.cc:2432
                #15 0x5614f298b508 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.4/sql/sql_show.cc:313
                #16 0x5614f29e0c6a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.4/sql/sql_show.cc:8840
                #17 0x5614f28c9a65 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4317
                #18 0x5614f28c7b4f in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4142
                #19 0x5614f28cb62c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4574
                #20 0x5614f28a1d0e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:423
                #21 0x5614f2822a49 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6604
                #22 0x5614f280f5d2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3841
                #23 0x5614f26006ac in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3592
                #24 0x5614f25fee39 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3320
                #25 0x5614f25ffdce in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3498
                #26 0x5614f25f2c1a in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1342
                #27 0x5614f25f7fb5 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2284
                #28 0x5614f2809887 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:2968
                #29 0x5614f280b381 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3210
             
            Thread T5 created by T0 here:
                #0 0x7fe8b6293bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
                #1 0x5614f3757cdc in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
                #2 0x5614f254f866 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
                #3 0x5614f2565090 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6194
                #4 0x5614f2565795 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6264
                #5 0x5614f2565b25 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6362
                #6 0x5614f2566771 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6520
                #7 0x5614f25648cb in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5852
                #8 0x5614f254d6ef in main /data/src/10.4/sql/main.cc:25
                #9 0x7fe8b43782b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
             
            SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/compat56.cc:407 my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int)
            Shadow bytes around the buggy address:
              0x0c1c8001c200: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
              0x0c1c8001c210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c1c8001c220: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
              0x0c1c8001c230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c1c8001c240: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
            =>0x0c1c8001c250: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fa
              0x0c1c8001c260: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c1c8001c270: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
              0x0c1c8001c280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c1c8001c290: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
              0x0c1c8001c2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable:           00
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
              Heap right redzone:      fb
              Freed heap region:       fd
              Stack left redzone:      f1
              Stack mid redzone:       f2
              Stack right redzone:     f3
              Stack partial redzone:   f4
              Stack after return:      f5
              Stack use after scope:   f8
              Global redzone:          f9
              Global init order:       f6
              Poisoned by user:        f7
              Contiguous container OOB:fc
              ASan internal:           fe
            ==763==ABORTING
            

            elenst Elena Stepanova added a comment - Another test case with a somewhat different stack trace, seems to be the same failure still. Run with --repeat=N if it doesn't fail right away. On a reason unknown to me, it's non-deterministic, even with ASAN. SET NAMES utf8; CREATE TEMPORARY TABLE t (u TIMESTAMP DEFAULT 0, a INT , b INT GENERATED ALWAYS AS (a) PERSISTENT) ENGINE=MyISAM; INSERT INTO t () VALUES () ; ALTER TABLE t ADD KEY (b); --error ER_KEY_COLUMN_DOES_NOT_EXITS ALTER TABLE t CHANGE IF EXISTS f1 f2 SERIAL; SELECT * FROM t INTO OUTFILE 'load.data' ; LOAD DATA INFILE 'load.data' REPLACE INTO TABLE t; ALTER TABLE t ADD KEY (f3);   # Cleanup --let $datadir= `SELECT @@datadir` --remove_file $datadir/test/load.data 10.4 5b4d6595 #3 <signal handler called> #4 0x0000558fc9da3fbd in my_timestamp_from_binary (tm=0x7f6449598bf0, ptr=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>, dec=0) at /data/src/10.4/sql/compat56.cc:407 #5 0x0000558fc9dbb305 in Field_timestampf::get_timestamp (this=0x7f64380428e0, pos=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>, sec_part=0x7f6449598c50) at /data/src/10.4/sql/field.cc:5559 #6 0x0000558fc9dd76b3 in Field_timestamp::get_timestamp (this=0x7f64380428e0, sec_part=0x7f6449598c50) at /data/src/10.4/sql/field.h:2790 #7 0x0000558fc9db9c15 in Field_timestamp::get_date (this=0x7f64380428e0, ltime=0x7f6449598cd0, fuzzydate=...) at /data/src/10.4/sql/field.cc:5295 #8 0x0000558fc9db96e0 in Field_timestamp::val_str (this=0x7f64380428e0, val_buffer=0x7f6449598dc0, val_ptr=0x7f6449598dc0) at /data/src/10.4/sql/field.cc:5220 #9 0x0000558fc998e7a9 in Field::val_str (this=0x7f64380428e0, str=0x7f6449598dc0) at /data/src/10.4/sql/field.h:834 #10 0x0000558fc9dd4cb9 in Field::val_str (this=0x7f64380428e0, str=0x7f6449598dc0, new_ptr=0x7f643822a741 <error: Cannot access memory at address 0x7f643822a741>) at /data/src/10.4/sql/field.h:1336 #11 0x0000558fc9dd14f3 in Column_definition::Column_definition (this=0x7f6438015df0, thd=0x7f6438000b00, old_field=0x7f64380428e0, orig_field=0x7f64380428e0) at /data/src/10.4/sql/field.cc:10782 #12 0x0000558fc9a6cf6c in Create_field::Create_field (this=0x7f6438015df0, thd=0x7f6438000b00, old_field=0x7f64380428e0, orig_field=0x7f64380428e0) at /data/src/10.4/sql/field.h:4939 #13 0x0000558fc9b8de4b in mysql_prepare_alter_table (thd=0x7f6438000b00, table=0x7f643812e010, create_info=0x7f644959acd0, alter_info=0x7f644959ac10, alter_ctx=0x7f644959a0e0) at /data/src/10.4/sql/sql_table.cc:8022 #14 0x0000558fc9b92388 in mysql_alter_table (thd=0x7f6438000b00, new_db=0x7f6438005290, new_name=0x7f6438005690, create_info=0x7f644959acd0, table_list=0x7f6438015590, alter_info=0x7f644959ac10, order_num=0, order=0x0, ignore=false) at /data/src/10.4/sql/sql_table.cc:9498 #15 0x0000558fc9c1ff20 in Sql_cmd_alter_table::execute (this=0x7f6438015d08, thd=0x7f6438000b00) at /data/src/10.4/sql/sql_alter.cc:499 #16 0x0000558fc9ab2cc6 in mysql_execute_command (thd=0x7f6438000b00) at /data/src/10.4/sql/sql_parse.cc:6346 #17 0x0000558fc9ab7e6e in mysql_parse (thd=0x7f6438000b00, rawbuf=0x7f64380154a8 "ALTER TABLE t ADD KEY (f3)", length=26, parser_state=0x7f644959c180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8157 #18 0x0000558fc9aa355c in dispatch_command (command=COM_QUERY, thd=0x7f6438000b00, packet=0x7f643800a761 "ALTER TABLE t ADD KEY (f3)", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829 #19 0x0000558fc9aa1d30 in do_command (thd=0x7f6438000b00) at /data/src/10.4/sql/sql_parse.cc:1358 #20 0x0000558fc9c19e35 in do_handle_one_connection (connect=0x558fcdafab50) at /data/src/10.4/sql/sql_connect.cc:1399 #21 0x0000558fc9c19ba6 in handle_one_connection (arg=0x558fcdafab50) at /data/src/10.4/sql/sql_connect.cc:1302 #22 0x0000558fca110315 in pfs_spawn_thread (arg=0x558fcdbed130) at /data/src/10.4/storage/perfschema/pfs.cc:1862 #23 0x00007f64510f9494 in start_thread (arg=0x7f644959d700) at pthread_create.c:333 #24 0x00007f644f4df93f in clone () from /lib/x86_64-linux-gnu/libc.so.6 10.4 ASAN 5b4d6595 ==763==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001212d4 at pc 0x5614f2ee63f6 bp 0x7fe8aacd6200 sp 0x7fe8aacd61f8 READ of size 1 at 0x60e0001212d4 thread T5 #0 0x5614f2ee63f5 in my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int) /data/src/10.4/sql/compat56.cc:407 #1 0x5614f2f2797e in Field_timestampf::get_timestamp(unsigned char const*, unsigned long*) const /data/src/10.4/sql/field.cc:5559 #2 0x5614f2f73542 in Field_timestamp::get_timestamp(unsigned long*) const /data/src/10.4/sql/field.h:2790 #3 0x5614f2f236d9 in Field_timestamp::get_date(st_mysql_time*, date_mode_t) /data/src/10.4/sql/field.cc:5295 #4 0x5614f2f22839 in Field_timestamp::val_str(String*, String*) /data/src/10.4/sql/field.cc:5220 #5 0x5614f2593351 in Field::val_str(String*) /data/src/10.4/sql/field.h:834 #6 0x5614f2f6db21 in Field::val_str(String*, unsigned char const*) /data/src/10.4/sql/field.h:1336 #7 0x5614f2f6605a in Column_definition::Column_definition(THD*, Field*, Field*) /data/src/10.4/sql/field.cc:10782 #8 0x5614f27887eb in Create_field::Create_field(THD*, Field*, Field*) /data/src/10.4/sql/field.h:4939 #9 0x5614f2a4160e in mysql_prepare_alter_table(THD*, TABLE*, HA_CREATE_INFO*, Alter_info*, Alter_table_ctx*) /data/src/10.4/sql/sql_table.cc:8022 #10 0x5614f2a4a8ee in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:9498 #11 0x5614f2b9e9fa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:499 #12 0x5614f282093b in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6346 #13 0x5614f282b33c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157 #14 0x5614f2803545 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829 #15 0x5614f2800346 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358 #16 0x5614f2b8f2e9 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399 #17 0x5614f2b8ece2 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302 #18 0x5614f3757714 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862 #19 0x7fe8b605a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493) #20 0x7fe8b444093e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)   0x60e0001212d4 is located 116 bytes inside of 148-byte region [0x60e000121260,0x60e0001212f4) freed by thread T5 here: #0 0x7fe8b62c4527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x5614f4108371 in free_memory /data/src/10.4/mysys/safemalloc.c:279 #2 0x5614f4107977 in sf_free /data/src/10.4/mysys/safemalloc.c:197 #3 0x5614f40d83c0 in my_free /data/src/10.4/mysys/my_malloc.c:222 #4 0x5614f353944c in info_remove_lock /data/src/10.4/storage/maria/ma_pagecache.c:2316 #5 0x5614f353dc50 in make_lock_and_pin /data/src/10.4/storage/maria/ma_pagecache.c:2631 #6 0x5614f3541619 in pagecache_unlock_by_link /data/src/10.4/storage/maria/ma_pagecache.c:3091 #7 0x5614f35b5306 in _ma_unpin_all_pages /data/src/10.4/storage/maria/ma_key_recover.c:71 #8 0x5614f35ecb28 in write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3432 #9 0x5614f35eda3b in allocate_and_write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3566 #10 0x5614f35edd0e in _ma_write_init_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3606 #11 0x5614f361f85b in maria_write /data/src/10.4/storage/maria/ma_write.c:157 #12 0x5614f34d47b1 in ha_maria::write_row(unsigned char*) /data/src/10.4/storage/maria/ha_maria.cc:1326 #13 0x5614f29787ad in handler::ha_write_tmp_row(unsigned char*) /data/src/10.4/sql/sql_class.h:6610 #14 0x5614f29a598d in schema_table_store_record(THD*, TABLE*) /data/src/10.4/sql/sql_show.cc:3870 #15 0x5614f298b388 in show_plugins /data/src/10.4/sql/sql_show.cc:304 #16 0x5614f284d569 in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.4/sql/sql_plugin.cc:2432 #17 0x5614f298b508 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.4/sql/sql_show.cc:313 #18 0x5614f29e0c6a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.4/sql/sql_show.cc:8840 #19 0x5614f28c9a65 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4317 #20 0x5614f28c7b4f in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4142 #21 0x5614f28cb62c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4574 #22 0x5614f28a1d0e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:423 #23 0x5614f2822a49 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6604 #24 0x5614f280f5d2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3841 #25 0x5614f26006ac in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3592 #26 0x5614f25fee39 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3320 #27 0x5614f25ffdce in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3498 #28 0x5614f25f2c1a in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1342 #29 0x5614f25f7fb5 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2284   previously allocated by thread T5 here: #0 0x7fe8b62c473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x5614f41070e7 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118 #2 0x5614f40d79e2 in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #3 0x5614f3539313 in info_add_lock /data/src/10.4/storage/maria/ma_pagecache.c:2302 #4 0x5614f353dbb8 in make_lock_and_pin /data/src/10.4/storage/maria/ma_pagecache.c:2608 #5 0x5614f354289e in pagecache_read /data/src/10.4/storage/maria/ma_pagecache.c:3425 #6 0x5614f35e0df9 in get_head_or_tail_page /data/src/10.4/storage/maria/ma_blockrec.c:1782 #7 0x5614f35ed54d in allocate_and_write_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3545 #8 0x5614f35edd0e in _ma_write_init_block_record /data/src/10.4/storage/maria/ma_blockrec.c:3606 #9 0x5614f361f85b in maria_write /data/src/10.4/storage/maria/ma_write.c:157 #10 0x5614f34d47b1 in ha_maria::write_row(unsigned char*) /data/src/10.4/storage/maria/ha_maria.cc:1326 #11 0x5614f29787ad in handler::ha_write_tmp_row(unsigned char*) /data/src/10.4/sql/sql_class.h:6610 #12 0x5614f29a598d in schema_table_store_record(THD*, TABLE*) /data/src/10.4/sql/sql_show.cc:3870 #13 0x5614f298b388 in show_plugins /data/src/10.4/sql/sql_show.cc:304 #14 0x5614f284d569 in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /data/src/10.4/sql/sql_plugin.cc:2432 #15 0x5614f298b508 in fill_plugins(THD*, TABLE_LIST*, Item*) /data/src/10.4/sql/sql_show.cc:313 #16 0x5614f29e0c6a in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.4/sql/sql_show.cc:8840 #17 0x5614f28c9a65 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4317 #18 0x5614f28c7b4f in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4142 #19 0x5614f28cb62c in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4574 #20 0x5614f28a1d0e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:423 #21 0x5614f2822a49 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6604 #22 0x5614f280f5d2 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3841 #23 0x5614f26006ac in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3592 #24 0x5614f25fee39 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3320 #25 0x5614f25ffdce in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.4/sql/sp_head.cc:3498 #26 0x5614f25f2c1a in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1342 #27 0x5614f25f7fb5 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.4/sql/sp_head.cc:2284 #28 0x5614f2809887 in do_execute_sp /data/src/10.4/sql/sql_parse.cc:2968 #29 0x5614f280b381 in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3210   Thread T5 created by T0 here: #0 0x7fe8b6293bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba) #1 0x5614f3757cdc in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912 #2 0x5614f254f866 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268 #3 0x5614f2565090 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6194 #4 0x5614f2565795 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6264 #5 0x5614f2565b25 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6362 #6 0x5614f2566771 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6520 #7 0x5614f25648cb in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5852 #8 0x5614f254d6ef in main /data/src/10.4/sql/main.cc:25 #9 0x7fe8b43782b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)   SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/compat56.cc:407 my_timestamp_from_binary(timeval*, unsigned char const*, unsigned int) Shadow bytes around the buggy address: 0x0c1c8001c200: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c1c8001c210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1c8001c220: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c1c8001c230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1c8001c240: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd =>0x0c1c8001c250: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fa 0x0c1c8001c260: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c1c8001c270: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c1c8001c280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1c8001c290: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c1c8001c2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==763==ABORTING

            It appears to have been fixed along with MDEV-18486.

            elenst Elena Stepanova added a comment - It appears to have been fixed along with MDEV-18486 .

            People

              elenst Elena Stepanova
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.