Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
-
None
Description
The test case is non-deterministic, don't put it into the regression suite and run with --repeat=N. It usually fails for me within ~15 attempts, but it can vary on different machines and builds.
--connect (con1,localhost,root,,test)
|
BACKUP STAGE START;
|
BACKUP STAGE BLOCK_COMMIT;
|
BACKUP STAGE END; |
|
|
--connection default
|
CREATE TABLE t1 (f VARCHAR(32), KEY(f) USING BTREE) ENGINE=HEAP; |
|
|
--connection con1
|
INSERT IGNORE INTO t1 VALUES ('foo'),(NULL),('bar'),(NULL),('qux'); |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
BACKUP STAGE START;
|
|
|
--connection default
|
--send
|
DELETE FROM t1 WHERE f >= 'h'; |
|
|
--connection con1
|
BACKUP STAGE BLOCK_COMMIT;
|
|
|
# Cleanup
|
BACKUP STAGE END; |
--connection default
|
--reap
|
DROP TABLE t1; |
|
10.4 ASAN 5a087444 |
==18314==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0007b7a18 at pc 0x558d21fc8bbe bp 0x7f090f549240 sp 0x7f090f549238
|
READ of size 8 at 0x60e00040cdd8 thread T6
|
#0 0x55fed3ca1bbd in tree_search_next /data/src/10.4/mysys/tree.c:514
|
#1 0x55fed3ba0c60 in check_one_rb_key /data/src/10.4/storage/heap/_check.c:194
|
#2 0x55fed3b9fc73 in heap_check_heap /data/src/10.4/storage/heap/_check.c:55
|
#3 0x55fed3b9c247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
|
#4 0x55fed3b9c095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#5 0x55fed3b7f2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#6 0x55fed2b51cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
|
#7 0x55fed2676401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
|
#8 0x55fed29376a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#9 0x55fed2937d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#10 0x55fed294fdaf in backup_flush /data/src/10.4/sql/backup.cc:207
|
#11 0x55fed294f645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
|
#12 0x55fed23b75ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
|
#13 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#14 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#15 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#16 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#17 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#18 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#19 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7fcbca74893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x60e00040cdd8 is located 120 bytes inside of 156-byte region [0x60e00040cd60,0x60e00040cdfc)
|
freed by thread T5 here:
|
#0 0x7fcbcc5cc527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x55fed3cad5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x55fed3cacbdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x55fed3c7d628 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x55fed3ca0e20 in tree_delete /data/src/10.4/mysys/tree.c:374
|
#5 0x55fed3b858b1 in hp_rb_delete_key /data/src/10.4/storage/heap/hp_delete.c:81
|
#6 0x55fed3b85315 in heap_delete /data/src/10.4/storage/heap/hp_delete.c:41
|
#7 0x55fed3b80420 in ha_heap::delete_row(unsigned char const*) /data/src/10.4/storage/heap/ha_heap.cc:273
|
#8 0x55fed2b6f4e5 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6775
|
#9 0x55fed2f68a07 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:297
|
#10 0x55fed2f61282 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:843
|
#11 0x55fed23b5490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
|
#12 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T6 here:
|
#0 0x7fcbcc5cc73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55fed3cac34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x55fed3c7cc4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x55fed3c9fe6f in tree_insert /data/src/10.4/mysys/tree.c:280
|
#4 0x55fed3b98630 in hp_rb_write_key /data/src/10.4/storage/heap/hp_write.c:123
|
#5 0x55fed3b97a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
|
#6 0x55fed3b7ffbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
|
#7 0x55fed2b6d9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
|
#8 0x55fed230dd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
|
#9 0x55fed231c45d in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3870
|
#10 0x55fed24db182 in end_send /data/src/10.4/sql/sql_select.cc:21198
|
#11 0x55fed24d32cf in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20229
|
#12 0x55fed250d113 in AGGR_OP::end_send() /data/src/10.4/sql/sql_select.cc:28239
|
#13 0x55fed24d1063 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19723
|
#14 0x55fed24d17be in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19958
|
#15 0x55fed24d02b6 in do_select /data/src/10.4/sql/sql_select.cc:19549
|
#16 0x55fed246950a in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4364
|
#17 0x55fed2466e05 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4146
|
#18 0x55fed246a8e2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4578
|
#19 0x55fed2440f52 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
|
#20 0x55fed23b485e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4896
|
#21 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#22 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#23 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#24 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#25 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#26 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#27 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fcbcc59bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55fed32fcf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55fed20ed2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55fed21023f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x55fed2102af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x55fed2102e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x55fed2103ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x55fed2101c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x55fed20eb16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fcbca6802b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fcbcc59bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55fed32fcf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55fed20ed2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55fed21023f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x55fed2102af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x55fed2102e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x55fed2103ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x55fed2101c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x55fed20eb16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fcbca6802b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/mysys/tree.c:514 tree_search_next
|
Shadow bytes around the buggy address:
|
0x0c1c80079960: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
|
0x0c1c80079970: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c80079980: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
|
0x0c1c80079990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c800799a0: 00 00 00 04 fa fa fa fa fa fa fa fa fd fd fd fd
|
=>0x0c1c800799b0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
|
0x0c1c800799c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
0x0c1c800799d0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
|
0x0c1c800799e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0c1c800799f0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
|
0x0c1c80079a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==23015==ABORTING
|
|
10.4 5a087444 debug |
#3 <signal handler called>
|
#4 0x0000557f3f737aaf in hp_rb_make_key (keydef=0x7fcd1c1498a0, key=0x7fcd180d815c "\003qux", rec=0x708f8f8f8f142352 <error: Cannot access memory at address 0x708f8f8f8f142352>, recpos=0x0) at /data/src/10.4/storage/heap/hp_hash.c:617
|
#5 0x0000557f3f73db1c in check_one_rb_key (info=0x7fcd180d7e50, keynr=0, records=160, print_status=0 '\000') at /data/src/10.4/storage/heap/_check.c:184
|
#6 0x0000557f3f73d3e9 in heap_check_heap (info=0x7fcd180d7e50, print_status=0 '\000') at /data/src/10.4/storage/heap/_check.c:55
|
#7 0x0000557f3f73c182 in hp_close (info=0x7fcd180d7e50) at /data/src/10.4/storage/heap/hp_close.c:39
|
#8 0x0000557f3f73c0f9 in heap_close (info=0x7fcd180d7e50) at /data/src/10.4/storage/heap/hp_close.c:28
|
#9 0x0000557f3f73375b in ha_heap::close (this=0x7fcd1817c058) at /data/src/10.4/storage/heap/ha_heap.cc:140
|
#10 0x0000557f3efccc3a in handler::ha_close (this=0x7fcd1817c058) at /data/src/10.4/sql/handler.cc:2967
|
#11 0x0000557f3eda707e in closefrm (table=0x7fcd1817b1f0) at /data/src/10.4/sql/table.cc:3993
|
#12 0x0000557f3eeeedcf in intern_close_table (table=0x7fcd1817b1f0) at /data/src/10.4/sql/table_cache.cc:222
|
#13 0x0000557f3eeef1d7 in tc_purge (mark_flushed=false) at /data/src/10.4/sql/table_cache.cc:335
|
#14 0x0000557f3eef9516 in backup_flush (thd=0x7fcd18000b00) at /data/src/10.4/sql/backup.cc:207
|
#15 0x0000557f3eef91a2 in run_backup_stage (thd=0x7fcd18000b00, stage=BACKUP_LOCK_COMMIT) at /data/src/10.4/sql/backup.cc:110
|
#16 0x0000557f3ec896c8 in mysql_execute_command (thd=0x7fcd18000b00) at /data/src/10.4/sql/sql_parse.cc:5288
|
#17 0x0000557f3ec9348c in mysql_parse (thd=0x7fcd18000b00, rawbuf=0x7fcd180154a8 "BACKUP STAGE BLOCK_COMMIT", length=25, parser_state=0x7fcd34385180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8157
|
#18 0x0000557f3ec7eb7a in dispatch_command (command=COM_QUERY, thd=0x7fcd18000b00, packet=0x7fcd1800a761 "BACKUP STAGE BLOCK_COMMIT", packet_length=25, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
|
#19 0x0000557f3ec7d34e in do_command (thd=0x7fcd18000b00) at /data/src/10.4/sql/sql_parse.cc:1358
|
#20 0x0000557f3edf6e59 in do_handle_one_connection (connect=0x557f413cdc50) at /data/src/10.4/sql/sql_connect.cc:1399
|
#21 0x0000557f3edf6bca in handle_one_connection (arg=0x557f413cdc50) at /data/src/10.4/sql/sql_connect.cc:1302
|
#22 0x0000557f3f2edb51 in pfs_spawn_thread (arg=0x557f414c02c0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#23 0x00007fcd3af3c494 in start_thread (arg=0x7fcd34386700) at pthread_create.c:333
|
#24 0x00007fcd3932293f in clone () from /lib/x86_64-linux-gnu/libc.so.6
|
Couldn't reproduce on a non-debug build, but it can be a timing issue.
Variation of the test case (the difference is the absence of WHERE clause in DELETE) and variation of the stack trace:
--connect (con1,localhost,root,,test)
|
BACKUP STAGE START;
|
BACKUP STAGE BLOCK_COMMIT;
|
BACKUP STAGE END; |
|
|
--connection default
|
CREATE TABLE t1 (f VARCHAR(32), KEY(f) USING BTREE) ENGINE=HEAP; |
|
|
--connection con1
|
INSERT IGNORE INTO t1 VALUES ('foo'),(NULL),('bar'),(NULL),('qux'); |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
BACKUP STAGE START;
|
|
|
--connection default
|
--send
|
DELETE FROM t1; |
|
|
--connection con1
|
BACKUP STAGE BLOCK_COMMIT;
|
|
|
# Cleanup
|
BACKUP STAGE END; |
--connection default
|
--reap
|
DROP TABLE t1; |
==26799==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001f24d0 at pc 0x5591ce8be6b2 bp 0x7f6e09c7d240 sp 0x7f6e09c7d238
|
READ of size 8 at 0x60e0001f24d0 thread T6
|
#0 0x5591ce8be6b1 in tree_search_edge /data/src/10.4/mysys/tree.c:488
|
#1 0x5591ce7bda2c in check_one_rb_key /data/src/10.4/storage/heap/_check.c:178
|
#2 0x5591ce7bcc73 in heap_check_heap /data/src/10.4/storage/heap/_check.c:55
|
#3 0x5591ce7b9247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
|
#4 0x5591ce7b9095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#5 0x5591ce79c2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#6 0x5591cd76ecf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
|
#7 0x5591cd293401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
|
#8 0x5591cd5546a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#9 0x5591cd554d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#10 0x5591cd56cdaf in backup_flush /data/src/10.4/sql/backup.cc:207
|
#11 0x5591cd56c645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
|
#12 0x5591ccfd45ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
|
#13 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#14 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#15 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#16 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#17 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#18 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#19 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7f6e138c293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x60e0001f24d0 is located 112 bytes inside of 156-byte region [0x60e0001f2460,0x60e0001f24fc)
|
freed by thread T5 here:
|
#0 0x7f6e15746527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x5591ce8ca5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x5591ce8c9bdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x5591ce89a628 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x5591ce8bc991 in delete_tree_element /data/src/10.4/mysys/tree.c:226
|
#5 0x5591ce8bc798 in delete_tree_element /data/src/10.4/mysys/tree.c:212
|
#6 0x5591ce8bc798 in delete_tree_element /data/src/10.4/mysys/tree.c:212
|
#7 0x5591ce8bc34d in free_tree /data/src/10.4/mysys/tree.c:150
|
#8 0x5591ce8bc709 in delete_tree /data/src/10.4/mysys/tree.c:196
|
#9 0x5591ce7b8621 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:94
|
#10 0x5591ce7b81dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
|
#11 0x5591ce7b8043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
|
#12 0x5591ce79e7eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
|
#13 0x5591cd77af0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
|
#14 0x5591cdb7c026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
|
#15 0x5591ccfd2490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
|
#16 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#17 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#18 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#19 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#20 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#21 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#22 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T6 here:
|
#0 0x7f6e1574673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x5591ce8c934f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x5591ce899c4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x5591ce8bce6f in tree_insert /data/src/10.4/mysys/tree.c:280
|
#4 0x5591ce7b5630 in hp_rb_write_key /data/src/10.4/storage/heap/hp_write.c:123
|
#5 0x5591ce7b4a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
|
#6 0x5591ce79cfbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
|
#7 0x5591cd78a9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
|
#8 0x5591ccf2ad8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
|
#9 0x5591ccf3945d in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3870
|
#10 0x5591cd0f8182 in end_send /data/src/10.4/sql/sql_select.cc:21198
|
#11 0x5591cd0f02cf in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20229
|
#12 0x5591cd12a113 in AGGR_OP::end_send() /data/src/10.4/sql/sql_select.cc:28239
|
#13 0x5591cd0ee063 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19723
|
#14 0x5591cd0ee7be in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19958
|
#15 0x5591cd0ed2b6 in do_select /data/src/10.4/sql/sql_select.cc:19549
|
#16 0x5591cd08650a in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4364
|
#17 0x5591cd083e05 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4146
|
#18 0x5591cd0878e2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4578
|
#19 0x5591cd05df52 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
|
#20 0x5591ccfd185e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4896
|
#21 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#22 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#23 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#24 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#25 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#26 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#27 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7f6e15715bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x5591cdf19f02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x5591ccd0a2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x5591ccd1f3f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x5591ccd1faf7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x5591ccd1fe87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x5591ccd20ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x5591ccd1ec2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x5591ccd0816f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7f6e137fa2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f6e15715bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x5591cdf19f02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x5591ccd0a2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x5591ccd1f3f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x5591ccd1faf7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x5591ccd1fe87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x5591ccd20ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x5591ccd1ec2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x5591ccd0816f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7f6e137fa2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/mysys/tree.c:488 tree_search_edge
|
Shadow bytes around the buggy address:
|
0x0c1c80036440: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
|
0x0c1c80036450: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c80036460: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c1c80036470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c80036480: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
|
=>0x0c1c80036490: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
|
0x0c1c800364a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x0c1c800364b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
|
0x0c1c800364c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c800364d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c1c800364e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==26799==ABORTING
|
Another variation of the test case with two variations of the stack trace:
--connect (con1,localhost,root,,test)
|
BACKUP STAGE START;
|
BACKUP STAGE BLOCK_COMMIT;
|
UNLOCK TABLES;
|
BACKUP STAGE END; |
|
|
--connection default
|
CREATE TABLE t1 (f1 VARCHAR(32), f2 VARCHAR (32), KEY (f1) USING HASH, KEY (f2) USING BTREE) ENGINE=HEAP; |
|
|
--connection con1
|
INSERT INTO t1 VALUES ('foo','bar'),(NULL,NULL),(NULL,'foobar'),('a',NULL),(NULL,'qux'); |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
INSERT INTO t1 SELECT * FROM t1; |
|
|
BACKUP STAGE START;
|
|
|
--connection default
|
--send
|
DELETE FROM t1; |
--connection con1
|
BACKUP STAGE BLOCK_COMMIT;
|
|
|
# Cleanup
|
--connection con1
|
BACKUP STAGE END; |
--disconnect con1
|
--connection default
|
--reap
|
DROP TABLE t1; |
==15871==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000134280 at pc 0x56043f28244f bp 0x7fb5c0ace300 sp 0x7fb5c0ace2f8
|
READ of size 8 at 0x62b000134280 thread T6
|
#0 0x56043f28244e in check_one_key /data/src/10.4/storage/heap/_check.c:114
|
#1 0x56043f281d4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
|
#2 0x56043f27e247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
|
#3 0x56043f27e095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#4 0x56043f2612fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#5 0x56043e233cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
|
#6 0x56043dd58401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
|
#7 0x56043e0196a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#8 0x56043e019d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#9 0x56043e031daf in backup_flush /data/src/10.4/sql/backup.cc:207
|
#10 0x56043e031645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
|
#11 0x56043da995ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
|
#12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#19 0x7fb5ca71393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x62b000134280 is located 128 bytes inside of 24116-byte region [0x62b000134200,0x62b00013a034)
|
freed by thread T5 here:
|
#0 0x7fb5cc597527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x56043f38f5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x56043f38ebdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x56043f35f628 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x56043f27cff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
|
#5 0x56043f27d6d6 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:100
|
#6 0x56043f27d1dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
|
#7 0x56043f27d043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
|
#8 0x56043f2637eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
|
#9 0x56043e23ff0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
|
#10 0x56043e641026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
|
#11 0x56043da97490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
|
#12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T6 here:
|
#0 0x7fb5cc59773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x56043f38e34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x56043f35ec4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x56043f27c91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
|
#4 0x56043f27c032 in hp_find_free_hash /data/src/10.4/storage/heap/hp_write.c:411
|
#5 0x56043f27b06e in hp_write_key /data/src/10.4/storage/heap/hp_write.c:214
|
#6 0x56043f279a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
|
#7 0x56043f261fbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
|
#8 0x56043e24f9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
|
#9 0x56043d9efd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
|
#10 0x56043d9e87cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
|
#11 0x56043da957cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
|
#12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fb5cc566bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x56043e9def02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x56043d7cf2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x56043d7e43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x56043d7e4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x56043d7e4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x56043d7e5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x56043d7e3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x56043d7cd16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fb5ca64b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fb5cc566bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x56043e9def02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x56043d7cf2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x56043d7e43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x56043d7e4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x56043d7e4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x56043d7e5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x56043d7e3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x56043d7cd16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fb5ca64b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/_check.c:114 check_one_key
|
Shadow bytes around the buggy address:
|
0x0c568001e800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568001e810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568001e820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568001e830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c568001e840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c568001e850:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c568001e860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c568001e870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c568001e880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c568001e890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c568001e8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==15871==ABORTING
|
==5683==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa55e003862 at pc 0x56427b37b707 bp 0x7fa55e8bd1b0 sp 0x7fa55e8bd1a8
|
READ of size 1 at 0x7fa55e003862 thread T6
|
#0 0x56427b37b706 in hp_rec_hashnr /data/src/10.4/storage/heap/hp_hash.c:315
|
#1 0x56427b392492 in check_one_key /data/src/10.4/storage/heap/_check.c:114
|
#2 0x56427b391d4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
|
#3 0x56427b38e247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
|
#4 0x56427b38e095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#5 0x56427b3712fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#6 0x56427a343cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
|
#7 0x564279e68401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
|
#8 0x56427a1296a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#9 0x56427a129d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#10 0x56427a141daf in backup_flush /data/src/10.4/sql/backup.cc:207
|
#11 0x56427a141645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
|
#12 0x564279ba95ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
|
#13 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#14 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#15 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#16 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#17 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#18 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#19 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#20 0x7fa56850293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x7fa55e003862 is located 69730 bytes inside of 132836-byte region [0x7fa55dff2800,0x7fa55e012ee4)
|
freed by thread T5 here:
|
#0 0x7fa56a386527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x56427b49f5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x56427b49ebdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x56427b46f628 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x56427b38cff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
|
#5 0x56427b38cfca in hp_free_level /data/src/10.4/storage/heap/hp_block.c:146
|
#6 0x56427b38d17e in hp_clear /data/src/10.4/storage/heap/hp_clear.c:35
|
#7 0x56427b38d043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
|
#8 0x56427b3737eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
|
#9 0x56427a34ff0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
|
#10 0x56427a751026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
|
#11 0x564279ba7490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
|
#12 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T6 here:
|
#0 0x7fa56a38673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x56427b49e34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x56427b46ec4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x56427b38c91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
|
#4 0x56427b38acef in next_free_record_pos /data/src/10.4/storage/heap/hp_write.c:165
|
#5 0x56427b389868 in heap_write /data/src/10.4/storage/heap/hp_write.c:45
|
#6 0x56427b371fbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
|
#7 0x56427a35f9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
|
#8 0x564279affd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
|
#9 0x564279af87cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
|
#10 0x564279ba57cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
|
#11 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#12 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#13 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#14 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#15 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#16 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#17 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7fa56a355bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x56427aaeef02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x5642798df2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x5642798f43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x5642798f4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x5642798f4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x5642798f5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x5642798f3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x5642798dd16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fa56843a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7fa56a355bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x56427aaeef02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x5642798df2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x5642798f43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x5642798f4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x5642798f4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x5642798f5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x5642798f3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x5642798dd16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7fa56843a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/hp_hash.c:315 hp_rec_hashnr
|
Shadow bytes around the buggy address:
|
0x0ff52bbf86b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf86c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf86d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf86e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf86f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0ff52bbf8700: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
|
0x0ff52bbf8710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf8720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf8730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf8740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0ff52bbf8750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==5683==ABORTING
|
|
|
|
|
==6061==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100022c580 at pc 0x55bc1a5b044f bp 0x7f7e41d5a300 sp 0x7f7e41d5a2f8
|
READ of size 8 at 0x62100022c580 thread T5
|
#0 0x55bc1a5b044e in check_one_key /data/src/10.4/storage/heap/_check.c:114
|
#1 0x55bc1a5afd4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
|
#2 0x55bc1a5ac247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
|
#3 0x55bc1a5ac095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
|
#4 0x55bc1a58f2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
|
#5 0x55bc19561cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
|
#6 0x55bc19086401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
|
#7 0x55bc193476a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
|
#8 0x55bc19347d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
|
#9 0x55bc1935fdaf in backup_flush /data/src/10.4/sql/backup.cc:207
|
#10 0x55bc1935f645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
|
#11 0x55bc18dc75ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
|
#12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
#19 0x7f7e4b4c193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
|
|
|
0x62100022c580 is located 128 bytes inside of 4028-byte region [0x62100022c500,0x62100022d4bc)
|
freed by thread T6 here:
|
#0 0x7f7e4d345527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
|
#1 0x55bc1a6bd5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
|
#2 0x55bc1a6bcbdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
|
#3 0x55bc1a68d628 in my_free /data/src/10.4/mysys/my_malloc.c:222
|
#4 0x55bc1a5aaff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
|
#5 0x55bc1a5ab6d6 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:100
|
#6 0x55bc1a5ab1dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
|
#7 0x55bc1a5ab043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
|
#8 0x55bc1a5917eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
|
#9 0x55bc1956df0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
|
#10 0x55bc1996f026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
|
#11 0x55bc18dc5490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
|
#12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
previously allocated by thread T5 here:
|
#0 0x7f7e4d34573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
|
#1 0x55bc1a6bc34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
|
#2 0x55bc1a68cc4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
|
#3 0x55bc1a5aa91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
|
#4 0x55bc1a5aa032 in hp_find_free_hash /data/src/10.4/storage/heap/hp_write.c:411
|
#5 0x55bc1a5a906e in hp_write_key /data/src/10.4/storage/heap/hp_write.c:214
|
#6 0x55bc1a5a7a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
|
#7 0x55bc1a58ffbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
|
#8 0x55bc1957d9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
|
#9 0x55bc18d1dd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
|
#10 0x55bc18d167cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
|
#11 0x55bc18dc37cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
|
#12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
|
#13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
|
#14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
|
#15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
|
#16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
|
#17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
|
#18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
|
|
|
Thread T5 created by T0 here:
|
#0 0x7f7e4d314bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55bc19d0cf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55bc18afd2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55bc18b123f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x55bc18b12af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x55bc18b12e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x55bc18b13ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x55bc18b11c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x55bc18afb16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7f7e4b3f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
Thread T6 created by T0 here:
|
#0 0x7f7e4d314bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
|
#1 0x55bc19d0cf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
|
#2 0x55bc18afd2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55bc18b123f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
|
#4 0x55bc18b12af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
|
#5 0x55bc18b12e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
|
#6 0x55bc18b13ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
|
#7 0x55bc18b11c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
|
#8 0x55bc18afb16f in main /data/src/10.4/sql/main.cc:25
|
#9 0x7f7e4b3f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/_check.c:114 check_one_key
|
Shadow bytes around the buggy address:
|
0x0c428003d860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428003d870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428003d880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428003d890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c428003d8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
=>0x0c428003d8b0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428003d8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428003d8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428003d8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428003d8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c428003d900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Heap right redzone: fb
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack partial redzone: f4
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Contiguous container OOB:fc
|
ASan internal: fe
|
==6061==ABORTING
|
Attachments
Issue Links
- causes
-
-
- Closed
-
- duplicates
-
-
- Closed
-
Activity
Yet another similar stack trace, almost identical, but just different enough to be not findable in JIRA:
|
10.4 41779561 |
==6859==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0006a50c8 at pc 0x55b703f95201 bp 0x7f92b94cd590 sp 0x7f92b94cd580
|
READ of size 1 at 0x60e0006a50c8 thread T34
|
#0 0x55b703f95200 in ha_key_cmp /home/vsts/src/mysys/my_compare.c:145
|
#1 0x55b703295917 in check_one_rb_key /home/vsts/src/storage/heap/_check.c:185
|
#2 0x55b7032949b9 in heap_check_heap /home/vsts/src/storage/heap/_check.c:55
|
#3 0x55b703291184 in hp_close /home/vsts/src/storage/heap/hp_close.c:39
|
#4 0x55b703290f95 in heap_close /home/vsts/src/storage/heap/hp_close.c:28
|
#5 0x55b703273e60 in ha_heap::close() /home/vsts/src/storage/heap/ha_heap.cc:140
|
#6 0x55b702d49b1c in handler::ha_close() /home/vsts/src/sql/handler.cc:2794
|
#7 0x55b702889c82 in closefrm(TABLE*) /home/vsts/src/sql/table.cc:3997
|
#8 0x55b702b91d0e in intern_close_table /home/vsts/src/sql/table_cache.cc:222
|
#9 0x55b702b923c3 in tc_purge(bool) /home/vsts/src/sql/table_cache.cc:335
|
#10 0x55b702bab561 in backup_flush /home/vsts/src/sql/backup.cc:207
|
#11 0x55b702baac44 in run_backup_stage(THD*, backup_stages) /home/vsts/src/sql/backup.cc:110
|
#12 0x55b7025a61dc in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:5284
|
#13 0x55b7025bad68 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8150
|
#14 0x55b70258f32b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1828
|
#15 0x55b70258bb46 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1361
|
#16 0x55b70294e658 in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398
|
#17 0x55b70294df13 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301
|
#18 0x7f92e84606b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
#19 0x7f92e76e541c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
|
0x60e0006a50c8 is located 136 bytes inside of 156-byte region [0x60e0006a5040,0x60e0006a50dc)
|
freed by thread T35 here:
|
#0 0x7f92e9b4a7f8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7f8)
|
#1 0x55b703fcfb6f in free_memory /home/vsts/src/mysys/safemalloc.c:279
|
#2 0x55b703fcf12d in sf_free /home/vsts/src/mysys/safemalloc.c:197
|
#3 0x55b703f9e941 in my_free /home/vsts/src/mysys/my_malloc.c:222
|
#4 0x55b703fc2b14 in tree_delete /home/vsts/src/mysys/tree.c:374
|
#5 0x55b70327a299 in hp_rb_delete_key /home/vsts/src/storage/heap/hp_delete.c:81
|
#6 0x55b703279c22 in heap_delete /home/vsts/src/storage/heap/hp_delete.c:41
|
#7 0x55b703274edc in ha_heap::delete_row(unsigned char const*) /home/vsts/src/storage/heap/ha_heap.cc:273
|
#8 0x55b702d6971c in handler::ha_delete_row(unsigned char const*) /home/vsts/src/sql/handler.cc:6673
|
#9 0x55b703187cc7 in TABLE::delete_row() /home/vsts/src/sql/sql_delete.cc:297
|
#10 0x55b70317f363 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/vsts/src/sql/sql_delete.cc:836
|
#11 0x55b7025a3e96 in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:4978
|
#12 0x55b7025bad68 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8150
|
#13 0x55b70258f32b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1828
|
#14 0x55b70258bb46 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1361
|
#15 0x55b70294e658 in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398
|
#16 0x55b70294df13 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301
|
#17 0x7f92e84606b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
previously allocated by thread T36 here:
|
#0 0x7f92e9b4ab90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)
|
#1 0x55b703fcead1 in sf_malloc /home/vsts/src/mysys/safemalloc.c:118
|
#2 0x55b703f9de8c in my_malloc /home/vsts/src/mysys/my_malloc.c:101
|
#3 0x55b703fc1d75 in tree_insert /home/vsts/src/mysys/tree.c:280
|
#4 0x55b70328d3e3 in hp_rb_write_key /home/vsts/src/storage/heap/hp_write.c:123
|
#5 0x55b70328c7a9 in heap_write /home/vsts/src/storage/heap/hp_write.c:52
|
#6 0x55b703274a84 in ha_heap::write_row(unsigned char*) /home/vsts/src/storage/heap/ha_heap.cc:239
|
#7 0x55b702d67c7f in handler::ha_write_row(unsigned char*) /home/vsts/src/sql/handler.cc:6565
|
#8 0x55b7024f4806 in write_record(THD*, TABLE*, st_copy_info*) /home/vsts/src/sql/sql_insert.cc:2034
|
#9 0x55b702503a31 in select_insert::send_data(List<Item>&) /home/vsts/src/sql/sql_insert.cc:3890
|
#10 0x55b7026dcb1e in end_send /home/vsts/src/sql/sql_select.cc:21224
|
#11 0x55b7026d50e9 in evaluate_join_record /home/vsts/src/sql/sql_select.cc:20255
|
#12 0x55b702711671 in AGGR_OP::end_send() /home/vsts/src/sql/sql_select.cc:28284
|
#13 0x55b7026d2a4b in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /home/vsts/src/sql/sql_select.cc:19749
|
#14 0x55b7026d3357 in sub_select(JOIN*, st_join_table*, bool) /home/vsts/src/sql/sql_select.cc:19984
|
#15 0x55b7026d1d99 in do_select /home/vsts/src/sql/sql_select.cc:19575
|
#16 0x55b702665343 in JOIN::exec_inner() /home/vsts/src/sql/sql_select.cc:4389
|
#17 0x55b702662a25 in JOIN::exec() /home/vsts/src/sql/sql_select.cc:4171
|
#18 0x55b7026668b7 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/vsts/src/sql/sql_select.cc:4603
|
#19 0x55b702639d1e in handle_select(THD*, LEX*, select_result*, unsigned long) /home/vsts/src/sql/sql_select.cc:412
|
#20 0x55b7025a31ef in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:4893
|
#21 0x55b7025bad68 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8150
|
#22 0x55b70258f32b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1828
|
#23 0x55b70258bb46 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1361
|
#24 0x55b70294e658 in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398
|
#25 0x55b70294df13 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301
|
#26 0x7f92e84606b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
|
Thread T34 created by T0 here:
|
#0 0x7f92e9aa3d6f in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d6f)
|
#1 0x55b703fffaa9 in spawn_thread_noop /home/vsts/src/mysys/psi_noop.c:187
|
#2 0x55b7022bd1d4 in inline_mysql_thread_create /home/vsts/src/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55b7022d3dc1 in create_thread_to_handle_connection(CONNECT*) /home/vsts/src/sql/mysqld.cc:6215
|
#4 0x55b7022d457a in create_new_thread(CONNECT*) /home/vsts/src/sql/mysqld.cc:6283
|
#5 0x55b7022d4942 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/vsts/src/sql/mysqld.cc:6381
|
#6 0x55b7022d5793 in handle_connections_sockets() /home/vsts/src/sql/mysqld.cc:6539
|
#7 0x55b7022d3542 in mysqld_main(int, char**) /home/vsts/src/sql/mysqld.cc:5871
|
#8 0x55b7022bb079 in main /home/vsts/src/sql/main.cc:25
|
#9 0x7f92e75fe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
|
Thread T35 created by T0 here:
|
#0 0x7f92e9aa3d6f in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d6f)
|
#1 0x55b703fffaa9 in spawn_thread_noop /home/vsts/src/mysys/psi_noop.c:187
|
#2 0x55b7022bd1d4 in inline_mysql_thread_create /home/vsts/src/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55b7022d3dc1 in create_thread_to_handle_connection(CONNECT*) /home/vsts/src/sql/mysqld.cc:6215
|
#4 0x55b7022d457a in create_new_thread(CONNECT*) /home/vsts/src/sql/mysqld.cc:6283
|
#5 0x55b7022d4942 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/vsts/src/sql/mysqld.cc:6381
|
#6 0x55b7022d5793 in handle_connections_sockets() /home/vsts/src/sql/mysqld.cc:6539
|
#7 0x55b7022d3542 in mysqld_main(int, char**) /home/vsts/src/sql/mysqld.cc:5871
|
#8 0x55b7022bb079 in main /home/vsts/src/sql/main.cc:25
|
#9 0x7f92e75fe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
|
Thread T36 created by T0 here:
|
#0 0x7f92e9aa3d6f in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d6f)
|
#1 0x55b703fffaa9 in spawn_thread_noop /home/vsts/src/mysys/psi_noop.c:187
|
#2 0x55b7022bd1d4 in inline_mysql_thread_create /home/vsts/src/include/mysql/psi/mysql_thread.h:1268
|
#3 0x55b7022d3dc1 in create_thread_to_handle_connection(CONNECT*) /home/vsts/src/sql/mysqld.cc:6215
|
#4 0x55b7022d457a in create_new_thread(CONNECT*) /home/vsts/src/sql/mysqld.cc:6283
|
#5 0x55b7022d4942 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/vsts/src/sql/mysqld.cc:6381
|
#6 0x55b7022d5793 in handle_connections_sockets() /home/vsts/src/sql/mysqld.cc:6539
|
#7 0x55b7022d3542 in mysqld_main(int, char**) /home/vsts/src/sql/mysqld.cc:5871
|
#8 0x55b7022bb079 in main /home/vsts/src/sql/main.cc:25
|
#9 0x7f92e75fe82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
|
SUMMARY: AddressSanitizer: heap-use-after-free /home/vsts/src/mysys/my_compare.c:145 in ha_key_cmp
|
Shadow bytes around the buggy address:
|
0x0c1c800cc9c0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c1c800cc9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c800cc9e0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
|
0x0c1c800cc9f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c800cca00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
=>0x0c1c800cca10: fd fd fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa
|
0x0c1c800cca20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c800cca30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x0c1c800cca40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x0c1c800cca50: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
|
0x0c1c800cca60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==6859==ABORTING
|
Unrelated to backup, failing even in 5.5 with this test:
CREATE TABLE t1 (f VARCHAR(32), KEY(f) USING BTREE) ENGINE=HEAP;
|
FLUSH TABLES;
|
INSERT INTO t1 VALUES('foo'),(NULL),('bar'),(NULL),('qux');
|
INSERT INTO t1 SELECT * FROM t1;
|
INSERT INTO t1 SELECT * FROM t1;
|
INSERT INTO t1 SELECT * FROM t1;
|
INSERT INTO t1 SELECT * FROM t1;
|
INSERT INTO t1 SELECT * FROM t1;
|
|
|
connect (con1,localhost,root,,test);
|
send DELETE FROM t1 WHERE f >= 'h';
|
|
|
connection default;
|
FLUSH TABLES;
|
|
|
connection con1;
|
reap;
|
disconnect con1;
|
|
|
connection default;
|
DROP TABLE t1;
|
serg, please review https://github.com/MariaDB/server/commit/45b41952772dd97cfe5e7affe8687e10d5932f9c
Similar stack trace, but without backup_* stages:
10.4 77109285
==6644==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000088a78 at pc 0x5629613755d5 bp 0x7f9d81546790 sp 0x7f9d81546780READ of size 8 at 0x60e000088a78 thread T32#0 0x5629613755d4 in tree_search_next /home/vsts/src/mysys/tree.c:514#1 0x562960639f11 in check_one_rb_key /home/vsts/src/storage/heap/_check.c:194#2 0x562960638f1b in heap_check_heap /home/vsts/src/storage/heap/_check.c:55#3 0x5629606356e6 in hp_close /home/vsts/src/storage/heap/hp_close.c:39#4 0x5629606354f7 in heap_close /home/vsts/src/storage/heap/hp_close.c:28#5 0x5629606183c2 in ha_heap::close() /home/vsts/src/storage/heap/ha_heap.cc:140#6 0x5629600ee772 in handler::ha_close() /home/vsts/src/sql/handler.cc:2794#7 0x56295fc2ec76 in closefrm(TABLE*) /home/vsts/src/sql/table.cc:4000#8 0x56295ff36cb0 in intern_close_table /home/vsts/src/sql/table_cache.cc:222#9 0x56295ff36f0f in tc_remove_table /home/vsts/src/sql/table_cache.cc:260#10 0x56295ff38201 in tc_release_table(TABLE*) /home/vsts/src/sql/table_cache.cc:474#11 0x56295f7bc766 in close_thread_table(THD*, TABLE**) /home/vsts/src/sql/sql_base.cc:1031#12 0x56295f7bbe86 in close_thread_tables(THD*) /home/vsts/src/sql/sql_base.cc:973#13 0x56295f954afa in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:6405#14 0x56295f95ff74 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8149#15 0x56295f934528 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1827#16 0x56295f930d43 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1360#17 0x56295fcf342e in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398#18 0x56295fcf2ce9 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301#19 0x7f9daf5646b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)#20 0x7f9dae7e941c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)0x60e000088a78 is located 120 bytes inside of 156-byte region [0x60e000088a00,0x60e000088a9c)freed by thread T37 here:#0 0x7f9db0c4e7f8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7f8)#1 0x5629613818bf in free_memory /home/vsts/src/mysys/safemalloc.c:279#2 0x562961380e7d in sf_free /home/vsts/src/mysys/safemalloc.c:197#3 0x562961350691 in my_free /home/vsts/src/mysys/my_malloc.c:222#4 0x562961374864 in tree_delete /home/vsts/src/mysys/tree.c:374#5 0x56296061e7fb in hp_rb_delete_key /home/vsts/src/storage/heap/hp_delete.c:81#6 0x56296061e184 in heap_delete /home/vsts/src/storage/heap/hp_delete.c:41#7 0x56296061943e in ha_heap::delete_row(unsigned char const*) /home/vsts/src/storage/heap/ha_heap.cc:273#8 0x56296010e1bc in handler::ha_delete_row(unsigned char const*) /home/vsts/src/sql/handler.cc:6661#9 0x56296052c20d in TABLE::delete_row() /home/vsts/src/sql/sql_delete.cc:297#10 0x5629605238a9 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/vsts/src/sql/sql_delete.cc:836#11 0x56295f949092 in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:4977#12 0x56295f95ff74 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8149#13 0x56295f934528 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1827#14 0x56295f930d43 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1360#15 0x56295fcf342e in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398#16 0x56295fcf2ce9 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301#17 0x7f9daf5646b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)previously allocated by thread T37 here:#0 0x7f9db0c4eb90 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb90)#1 0x562961380821 in sf_malloc /home/vsts/src/mysys/safemalloc.c:118#2 0x56296134fbdc in my_malloc /home/vsts/src/mysys/my_malloc.c:101#3 0x562961373ac5 in tree_insert /home/vsts/src/mysys/tree.c:280#4 0x562960631945 in hp_rb_write_key /home/vsts/src/storage/heap/hp_write.c:123#5 0x562960630d0b in heap_write /home/vsts/src/storage/heap/hp_write.c:52#6 0x562960618fe6 in ha_heap::write_row(unsigned char*) /home/vsts/src/storage/heap/ha_heap.cc:239#7 0x56296010c720 in handler::ha_write_row(unsigned char*) /home/vsts/src/sql/handler.cc:6553#8 0x56295f89a374 in write_record(THD*, TABLE*, st_copy_info*) /home/vsts/src/sql/sql_insert.cc:2021#9 0x56295f91d45d in read_sep_field /home/vsts/src/sql/sql_load.cc:1157#10 0x56295f919ab7 in mysql_load(THD*, sql_exchange const*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /home/vsts/src/sql/sql_load.cc:665#11 0x56295f94ad5b in mysql_execute_command(THD*) /home/vsts/src/sql/sql_parse.cc:5178#12 0x56295f95ff74 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/vsts/src/sql/sql_parse.cc:8149#13 0x56295f934528 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/vsts/src/sql/sql_parse.cc:1827#14 0x56295f930d43 in do_command(THD*) /home/vsts/src/sql/sql_parse.cc:1360#15 0x56295fcf342e in do_handle_one_connection(CONNECT*) /home/vsts/src/sql/sql_connect.cc:1398#16 0x56295fcf2ce9 in handle_one_connection /home/vsts/src/sql/sql_connect.cc:1301#17 0x7f9daf5646b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)Thread T32 created by T0 here:#0 0x7f9db0ba7d6f in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d6f)#1 0x5629613b17f9 in spawn_thread_noop /home/vsts/src/mysys/psi_noop.c:187#2 0x56295f662124 in inline_mysql_thread_create /home/vsts/src/include/mysql/psi/mysql_thread.h:1268#3 0x56295f678d5f in create_thread_to_handle_connection(CONNECT*) /home/vsts/src/sql/mysqld.cc:6220#4 0x56295f679518 in create_new_thread(CONNECT*) /home/vsts/src/sql/mysqld.cc:6288#5 0x56295f6798e0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/vsts/src/sql/mysqld.cc:6386#6 0x56295f67a731 in handle_connections_sockets() /home/vsts/src/sql/mysqld.cc:6544#7 0x56295f6784e0 in mysqld_main(int, char**) /home/vsts/src/sql/mysqld.cc:5876#8 0x56295f65ffc9 in main /home/vsts/src/sql/main.cc:25#9 0x7f9dae70282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)Thread T37 created by T0 here:#0 0x7f9db0ba7d6f in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d6f)#1 0x5629613b17f9 in spawn_thread_noop /home/vsts/src/mysys/psi_noop.c:187#2 0x56295f662124 in inline_mysql_thread_create /home/vsts/src/include/mysql/psi/mysql_thread.h:1268#3 0x56295f678d5f in create_thread_to_handle_connection(CONNECT*) /home/vsts/src/sql/mysqld.cc:6220#4 0x56295f679518 in create_new_thread(CONNECT*) /home/vsts/src/sql/mysqld.cc:6288#5 0x56295f6798e0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/vsts/src/sql/mysqld.cc:6386#6 0x56295f67a731 in handle_connections_sockets() /home/vsts/src/sql/mysqld.cc:6544#7 0x56295f6784e0 in mysqld_main(int, char**) /home/vsts/src/sql/mysqld.cc:5876#8 0x56295f65ffc9 in main /home/vsts/src/sql/main.cc:25#9 0x7f9dae70282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)SUMMARY: AddressSanitizer: heap-use-after-free /home/vsts/src/mysys/tree.c:514 in tree_search_nextShadow bytes around the buggy address:0x0c1c800090f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c1c80009100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c1c80009110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa0x0c1c80009120: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd0x0c1c80009130: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa=>0x0c1c80009140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]0x0c1c80009150: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd0x0c1c80009160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd0x0c1c80009170: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd0x0c1c80009180: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa0x0c1c80009190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa faShadow byte legend (one shadow byte represents 8 application bytes):Addressable: 00Partially addressable: 01 02 03 04 05 06 07Heap left redzone: faFreed heap region: fdStack left redzone: f1Stack mid redzone: f2Stack right redzone: f3Stack after return: f5Stack use after scope: f8Global redzone: f9Global init order: f6Poisoned by user: f7Container overflow: fcArray cookie: acIntra object redzone: bbASan internal: feLeft alloca redzone: caRight alloca redzone: cb==6644==ABORTING