Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18783

Server crash in hp_rb_make_key, ASAN heap-use-after-free in tree_search_next / heap_check_heap

    XMLWordPrintable

Details

    Description

      The test case is non-deterministic, don't put it into the regression suite and run with --repeat=N. It usually fails for me within ~15 attempts, but it can vary on different machines and builds.

      --connect (con1,localhost,root,,test)
      BACKUP STAGE START;
      BACKUP STAGE BLOCK_COMMIT;
      BACKUP STAGE END;
       
      --connection default
      CREATE TABLE t1 (f VARCHAR(32), KEY(f) USING BTREE) ENGINE=HEAP;
       
      --connection con1
      INSERT IGNORE INTO t1 VALUES ('foo'),(NULL),('bar'),(NULL),('qux');
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      BACKUP STAGE START;
       
      --connection default
      --send
        DELETE FROM t1 WHERE f >= 'h';
       
      --connection con1
      BACKUP STAGE BLOCK_COMMIT;
       
      # Cleanup
      BACKUP STAGE END;
      --connection default
      --reap
      DROP TABLE t1;
      

      10.4 ASAN 5a087444

      ==18314==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0007b7a18 at pc 0x558d21fc8bbe bp 0x7f090f549240 sp 0x7f090f549238
      READ of size 8 at 0x60e00040cdd8 thread T6
          #0 0x55fed3ca1bbd in tree_search_next /data/src/10.4/mysys/tree.c:514
          #1 0x55fed3ba0c60 in check_one_rb_key /data/src/10.4/storage/heap/_check.c:194
          #2 0x55fed3b9fc73 in heap_check_heap /data/src/10.4/storage/heap/_check.c:55
          #3 0x55fed3b9c247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
          #4 0x55fed3b9c095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
          #5 0x55fed3b7f2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
          #6 0x55fed2b51cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
          #7 0x55fed2676401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
          #8 0x55fed29376a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
          #9 0x55fed2937d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
          #10 0x55fed294fdaf in backup_flush /data/src/10.4/sql/backup.cc:207
          #11 0x55fed294f645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
          #12 0x55fed23b75ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
          #13 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #14 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #15 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #16 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #17 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #18 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #19 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7fcbca74893e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e00040cdd8 is located 120 bytes inside of 156-byte region [0x60e00040cd60,0x60e00040cdfc)
      freed by thread T5 here:
          #0 0x7fcbcc5cc527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x55fed3cad5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x55fed3cacbdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x55fed3c7d628 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x55fed3ca0e20 in tree_delete /data/src/10.4/mysys/tree.c:374
          #5 0x55fed3b858b1 in hp_rb_delete_key /data/src/10.4/storage/heap/hp_delete.c:81
          #6 0x55fed3b85315 in heap_delete /data/src/10.4/storage/heap/hp_delete.c:41
          #7 0x55fed3b80420 in ha_heap::delete_row(unsigned char const*) /data/src/10.4/storage/heap/ha_heap.cc:273
          #8 0x55fed2b6f4e5 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6775
          #9 0x55fed2f68a07 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:297
          #10 0x55fed2f61282 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:843
          #11 0x55fed23b5490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #12 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T6 here:
          #0 0x7fcbcc5cc73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55fed3cac34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x55fed3c7cc4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x55fed3c9fe6f in tree_insert /data/src/10.4/mysys/tree.c:280
          #4 0x55fed3b98630 in hp_rb_write_key /data/src/10.4/storage/heap/hp_write.c:123
          #5 0x55fed3b97a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
          #6 0x55fed3b7ffbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
          #7 0x55fed2b6d9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
          #8 0x55fed230dd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
          #9 0x55fed231c45d in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3870
          #10 0x55fed24db182 in end_send /data/src/10.4/sql/sql_select.cc:21198
          #11 0x55fed24d32cf in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20229
          #12 0x55fed250d113 in AGGR_OP::end_send() /data/src/10.4/sql/sql_select.cc:28239
          #13 0x55fed24d1063 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19723
          #14 0x55fed24d17be in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19958
          #15 0x55fed24d02b6 in do_select /data/src/10.4/sql/sql_select.cc:19549
          #16 0x55fed246950a in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4364
          #17 0x55fed2466e05 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4146
          #18 0x55fed246a8e2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4578
          #19 0x55fed2440f52 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
          #20 0x55fed23b485e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4896
          #21 0x55fed23ca56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #22 0x55fed23a2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #23 0x55fed239f578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #24 0x55fed2732cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #25 0x55fed27326a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #26 0x55fed32fc93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #27 0x7fcbcc362493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7fcbcc59bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55fed32fcf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55fed20ed2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55fed21023f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x55fed2102af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x55fed2102e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x55fed2103ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x55fed2101c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x55fed20eb16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fcbca6802b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      Thread T5 created by T0 here:
          #0 0x7fcbcc59bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55fed32fcf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55fed20ed2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55fed21023f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x55fed2102af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x55fed2102e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x55fed2103ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x55fed2101c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x55fed20eb16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fcbca6802b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/mysys/tree.c:514 tree_search_next
      Shadow bytes around the buggy address:
        0x0c1c80079960: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
        0x0c1c80079970: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c80079980: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
        0x0c1c80079990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c800799a0: 00 00 00 04 fa fa fa fa fa fa fa fa fd fd fd fd
      =>0x0c1c800799b0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
        0x0c1c800799c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c1c800799d0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
        0x0c1c800799e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c1c800799f0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
        0x0c1c80079a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==23015==ABORTING
      

      10.4 5a087444 debug

      #3  <signal handler called>
      #4  0x0000557f3f737aaf in hp_rb_make_key (keydef=0x7fcd1c1498a0, key=0x7fcd180d815c "\003qux", rec=0x708f8f8f8f142352 <error: Cannot access memory at address 0x708f8f8f8f142352>, recpos=0x0) at /data/src/10.4/storage/heap/hp_hash.c:617
      #5  0x0000557f3f73db1c in check_one_rb_key (info=0x7fcd180d7e50, keynr=0, records=160, print_status=0 '\000') at /data/src/10.4/storage/heap/_check.c:184
      #6  0x0000557f3f73d3e9 in heap_check_heap (info=0x7fcd180d7e50, print_status=0 '\000') at /data/src/10.4/storage/heap/_check.c:55
      #7  0x0000557f3f73c182 in hp_close (info=0x7fcd180d7e50) at /data/src/10.4/storage/heap/hp_close.c:39
      #8  0x0000557f3f73c0f9 in heap_close (info=0x7fcd180d7e50) at /data/src/10.4/storage/heap/hp_close.c:28
      #9  0x0000557f3f73375b in ha_heap::close (this=0x7fcd1817c058) at /data/src/10.4/storage/heap/ha_heap.cc:140
      #10 0x0000557f3efccc3a in handler::ha_close (this=0x7fcd1817c058) at /data/src/10.4/sql/handler.cc:2967
      #11 0x0000557f3eda707e in closefrm (table=0x7fcd1817b1f0) at /data/src/10.4/sql/table.cc:3993
      #12 0x0000557f3eeeedcf in intern_close_table (table=0x7fcd1817b1f0) at /data/src/10.4/sql/table_cache.cc:222
      #13 0x0000557f3eeef1d7 in tc_purge (mark_flushed=false) at /data/src/10.4/sql/table_cache.cc:335
      #14 0x0000557f3eef9516 in backup_flush (thd=0x7fcd18000b00) at /data/src/10.4/sql/backup.cc:207
      #15 0x0000557f3eef91a2 in run_backup_stage (thd=0x7fcd18000b00, stage=BACKUP_LOCK_COMMIT) at /data/src/10.4/sql/backup.cc:110
      #16 0x0000557f3ec896c8 in mysql_execute_command (thd=0x7fcd18000b00) at /data/src/10.4/sql/sql_parse.cc:5288
      #17 0x0000557f3ec9348c in mysql_parse (thd=0x7fcd18000b00, rawbuf=0x7fcd180154a8 "BACKUP STAGE BLOCK_COMMIT", length=25, parser_state=0x7fcd34385180, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:8157
      #18 0x0000557f3ec7eb7a in dispatch_command (command=COM_QUERY, thd=0x7fcd18000b00, packet=0x7fcd1800a761 "BACKUP STAGE BLOCK_COMMIT", packet_length=25, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1829
      #19 0x0000557f3ec7d34e in do_command (thd=0x7fcd18000b00) at /data/src/10.4/sql/sql_parse.cc:1358
      #20 0x0000557f3edf6e59 in do_handle_one_connection (connect=0x557f413cdc50) at /data/src/10.4/sql/sql_connect.cc:1399
      #21 0x0000557f3edf6bca in handle_one_connection (arg=0x557f413cdc50) at /data/src/10.4/sql/sql_connect.cc:1302
      #22 0x0000557f3f2edb51 in pfs_spawn_thread (arg=0x557f414c02c0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
      #23 0x00007fcd3af3c494 in start_thread (arg=0x7fcd34386700) at pthread_create.c:333
      #24 0x00007fcd3932293f in clone () from /lib/x86_64-linux-gnu/libc.so.6
      

      Couldn't reproduce on a non-debug build, but it can be a timing issue.

      Variation of the test case (the difference is the absence of WHERE clause in DELETE) and variation of the stack trace:

      --connect (con1,localhost,root,,test)
      BACKUP STAGE START;
      BACKUP STAGE BLOCK_COMMIT;
      BACKUP STAGE END;
       
      --connection default
      CREATE TABLE t1 (f VARCHAR(32), KEY(f) USING BTREE) ENGINE=HEAP;
       
      --connection con1
      INSERT IGNORE INTO t1 VALUES ('foo'),(NULL),('bar'),(NULL),('qux');
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      BACKUP STAGE START;
       
      --connection default
      --send
        DELETE FROM t1;
       
      --connection con1
      BACKUP STAGE BLOCK_COMMIT;
       
      # Cleanup
      BACKUP STAGE END;
      --connection default
      --reap
      DROP TABLE t1;
      

      ==26799==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001f24d0 at pc 0x5591ce8be6b2 bp 0x7f6e09c7d240 sp 0x7f6e09c7d238
      READ of size 8 at 0x60e0001f24d0 thread T6
          #0 0x5591ce8be6b1 in tree_search_edge /data/src/10.4/mysys/tree.c:488
          #1 0x5591ce7bda2c in check_one_rb_key /data/src/10.4/storage/heap/_check.c:178
          #2 0x5591ce7bcc73 in heap_check_heap /data/src/10.4/storage/heap/_check.c:55
          #3 0x5591ce7b9247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
          #4 0x5591ce7b9095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
          #5 0x5591ce79c2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
          #6 0x5591cd76ecf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
          #7 0x5591cd293401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
          #8 0x5591cd5546a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
          #9 0x5591cd554d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
          #10 0x5591cd56cdaf in backup_flush /data/src/10.4/sql/backup.cc:207
          #11 0x5591cd56c645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
          #12 0x5591ccfd45ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
          #13 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #14 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #15 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #16 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #17 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #18 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #19 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7f6e138c293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x60e0001f24d0 is located 112 bytes inside of 156-byte region [0x60e0001f2460,0x60e0001f24fc)
      freed by thread T5 here:
          #0 0x7f6e15746527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x5591ce8ca5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x5591ce8c9bdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x5591ce89a628 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x5591ce8bc991 in delete_tree_element /data/src/10.4/mysys/tree.c:226
          #5 0x5591ce8bc798 in delete_tree_element /data/src/10.4/mysys/tree.c:212
          #6 0x5591ce8bc798 in delete_tree_element /data/src/10.4/mysys/tree.c:212
          #7 0x5591ce8bc34d in free_tree /data/src/10.4/mysys/tree.c:150
          #8 0x5591ce8bc709 in delete_tree /data/src/10.4/mysys/tree.c:196
          #9 0x5591ce7b8621 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:94
          #10 0x5591ce7b81dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
          #11 0x5591ce7b8043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
          #12 0x5591ce79e7eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
          #13 0x5591cd77af0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
          #14 0x5591cdb7c026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
          #15 0x5591ccfd2490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #16 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #17 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #18 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #19 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #20 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #21 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #22 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T6 here:
          #0 0x7f6e1574673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x5591ce8c934f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x5591ce899c4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x5591ce8bce6f in tree_insert /data/src/10.4/mysys/tree.c:280
          #4 0x5591ce7b5630 in hp_rb_write_key /data/src/10.4/storage/heap/hp_write.c:123
          #5 0x5591ce7b4a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
          #6 0x5591ce79cfbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
          #7 0x5591cd78a9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
          #8 0x5591ccf2ad8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
          #9 0x5591ccf3945d in select_insert::send_data(List<Item>&) /data/src/10.4/sql/sql_insert.cc:3870
          #10 0x5591cd0f8182 in end_send /data/src/10.4/sql/sql_select.cc:21198
          #11 0x5591cd0f02cf in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20229
          #12 0x5591cd12a113 in AGGR_OP::end_send() /data/src/10.4/sql/sql_select.cc:28239
          #13 0x5591cd0ee063 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19723
          #14 0x5591cd0ee7be in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:19958
          #15 0x5591cd0ed2b6 in do_select /data/src/10.4/sql/sql_select.cc:19549
          #16 0x5591cd08650a in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4364
          #17 0x5591cd083e05 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4146
          #18 0x5591cd0878e2 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4578
          #19 0x5591cd05df52 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:424
          #20 0x5591ccfd185e in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4896
          #21 0x5591ccfe756e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #22 0x5591ccfbf777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #23 0x5591ccfbc578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #24 0x5591cd34fcab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #25 0x5591cd34f6a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #26 0x5591cdf1993a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #27 0x7f6e154dc493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7f6e15715bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x5591cdf19f02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x5591ccd0a2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x5591ccd1f3f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x5591ccd1faf7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x5591ccd1fe87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x5591ccd20ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x5591ccd1ec2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x5591ccd0816f in main /data/src/10.4/sql/main.cc:25
          #9 0x7f6e137fa2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      Thread T5 created by T0 here:
          #0 0x7f6e15715bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x5591cdf19f02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x5591ccd0a2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x5591ccd1f3f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x5591ccd1faf7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x5591ccd1fe87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x5591ccd20ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x5591ccd1ec2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x5591ccd0816f in main /data/src/10.4/sql/main.cc:25
          #9 0x7f6e137fa2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/mysys/tree.c:488 tree_search_edge
      Shadow bytes around the buggy address:
        0x0c1c80036440: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
        0x0c1c80036450: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80036460: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c1c80036470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c80036480: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      =>0x0c1c80036490: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
        0x0c1c800364a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c1c800364b0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
        0x0c1c800364c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c1c800364d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c1c800364e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==26799==ABORTING
      

      Another variation of the test case with two variations of the stack trace:

      --connect (con1,localhost,root,,test)
      BACKUP STAGE START;
      BACKUP STAGE BLOCK_COMMIT;
      UNLOCK TABLES;
      BACKUP STAGE END;
       
      --connection default
      CREATE TABLE t1 (f1 VARCHAR(32), f2 VARCHAR (32), KEY (f1) USING HASH, KEY (f2) USING BTREE) ENGINE=HEAP;
       
      --connection con1
      INSERT INTO t1 VALUES ('foo','bar'),(NULL,NULL),(NULL,'foobar'),('a',NULL),(NULL,'qux');
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
      INSERT INTO t1 SELECT * FROM t1;
       
      BACKUP STAGE START;
       
      --connection default
      --send
        DELETE FROM t1;
      --connection con1
      BACKUP STAGE BLOCK_COMMIT;
       
      # Cleanup
      --connection con1
      BACKUP STAGE END;
      --disconnect con1
      --connection default
      --reap
      DROP TABLE t1;
      

      ==15871==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000134280 at pc 0x56043f28244f bp 0x7fb5c0ace300 sp 0x7fb5c0ace2f8
      READ of size 8 at 0x62b000134280 thread T6
          #0 0x56043f28244e in check_one_key /data/src/10.4/storage/heap/_check.c:114
          #1 0x56043f281d4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
          #2 0x56043f27e247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
          #3 0x56043f27e095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
          #4 0x56043f2612fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
          #5 0x56043e233cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
          #6 0x56043dd58401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
          #7 0x56043e0196a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
          #8 0x56043e019d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
          #9 0x56043e031daf in backup_flush /data/src/10.4/sql/backup.cc:207
          #10 0x56043e031645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
          #11 0x56043da995ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
          #12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #19 0x7fb5ca71393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62b000134280 is located 128 bytes inside of 24116-byte region [0x62b000134200,0x62b00013a034)
      freed by thread T5 here:
          #0 0x7fb5cc597527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x56043f38f5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x56043f38ebdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x56043f35f628 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x56043f27cff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
          #5 0x56043f27d6d6 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:100
          #6 0x56043f27d1dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
          #7 0x56043f27d043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
          #8 0x56043f2637eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
          #9 0x56043e23ff0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
          #10 0x56043e641026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
          #11 0x56043da97490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T6 here:
          #0 0x7fb5cc59773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x56043f38e34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x56043f35ec4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x56043f27c91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
          #4 0x56043f27c032 in hp_find_free_hash /data/src/10.4/storage/heap/hp_write.c:411
          #5 0x56043f27b06e in hp_write_key /data/src/10.4/storage/heap/hp_write.c:214
          #6 0x56043f279a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
          #7 0x56043f261fbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
          #8 0x56043e24f9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
          #9 0x56043d9efd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
          #10 0x56043d9e87cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
          #11 0x56043da957cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
          #12 0x56043daac56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x56043da84777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x56043da81578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x56043de14cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x56043de146a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x56043e9de93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fb5cc32d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7fb5cc566bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56043e9def02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x56043d7cf2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x56043d7e43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x56043d7e4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x56043d7e4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x56043d7e5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x56043d7e3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x56043d7cd16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fb5ca64b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      Thread T5 created by T0 here:
          #0 0x7fb5cc566bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56043e9def02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x56043d7cf2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x56043d7e43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x56043d7e4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x56043d7e4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x56043d7e5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x56043d7e3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x56043d7cd16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fb5ca64b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/_check.c:114 check_one_key
      Shadow bytes around the buggy address:
        0x0c568001e800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c568001e810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c568001e820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c568001e830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c568001e840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c568001e850:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c568001e860: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c568001e870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c568001e880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c568001e890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c568001e8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==15871==ABORTING
      

      ==5683==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa55e003862 at pc 0x56427b37b707 bp 0x7fa55e8bd1b0 sp 0x7fa55e8bd1a8
      READ of size 1 at 0x7fa55e003862 thread T6
          #0 0x56427b37b706 in hp_rec_hashnr /data/src/10.4/storage/heap/hp_hash.c:315
          #1 0x56427b392492 in check_one_key /data/src/10.4/storage/heap/_check.c:114
          #2 0x56427b391d4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
          #3 0x56427b38e247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
          #4 0x56427b38e095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
          #5 0x56427b3712fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
          #6 0x56427a343cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
          #7 0x564279e68401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
          #8 0x56427a1296a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
          #9 0x56427a129d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
          #10 0x56427a141daf in backup_flush /data/src/10.4/sql/backup.cc:207
          #11 0x56427a141645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
          #12 0x564279ba95ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
          #13 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #14 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #15 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #16 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #17 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #18 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #19 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #20 0x7fa56850293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x7fa55e003862 is located 69730 bytes inside of 132836-byte region [0x7fa55dff2800,0x7fa55e012ee4)
      freed by thread T5 here:
          #0 0x7fa56a386527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x56427b49f5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x56427b49ebdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x56427b46f628 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x56427b38cff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
          #5 0x56427b38cfca in hp_free_level /data/src/10.4/storage/heap/hp_block.c:146
          #6 0x56427b38d17e in hp_clear /data/src/10.4/storage/heap/hp_clear.c:35
          #7 0x56427b38d043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
          #8 0x56427b3737eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
          #9 0x56427a34ff0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
          #10 0x56427a751026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
          #11 0x564279ba7490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #12 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T6 here:
          #0 0x7fa56a38673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x56427b49e34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x56427b46ec4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x56427b38c91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
          #4 0x56427b38acef in next_free_record_pos /data/src/10.4/storage/heap/hp_write.c:165
          #5 0x56427b389868 in heap_write /data/src/10.4/storage/heap/hp_write.c:45
          #6 0x56427b371fbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
          #7 0x56427a35f9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
          #8 0x564279affd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
          #9 0x564279af87cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
          #10 0x564279ba57cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
          #11 0x564279bbc56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #12 0x564279b94777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #13 0x564279b91578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #14 0x564279f24cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #15 0x564279f246a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #16 0x56427aaee93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #17 0x7fa56a11c493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T6 created by T0 here:
          #0 0x7fa56a355bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56427aaeef02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x5642798df2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x5642798f43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x5642798f4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x5642798f4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x5642798f5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x5642798f3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x5642798dd16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fa56843a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      Thread T5 created by T0 here:
          #0 0x7fa56a355bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x56427aaeef02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x5642798df2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x5642798f43f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x5642798f4af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x5642798f4e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x5642798f5ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x5642798f3c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x5642798dd16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7fa56843a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/hp_hash.c:315 hp_rec_hashnr
      Shadow bytes around the buggy address:
        0x0ff52bbf86b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf86c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf86d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf86e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf86f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0ff52bbf8700: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
        0x0ff52bbf8710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf8720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf8730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf8740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0ff52bbf8750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==5683==ABORTING
       
       
      ==6061==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100022c580 at pc 0x55bc1a5b044f bp 0x7f7e41d5a300 sp 0x7f7e41d5a2f8
      READ of size 8 at 0x62100022c580 thread T5
          #0 0x55bc1a5b044e in check_one_key /data/src/10.4/storage/heap/_check.c:114
          #1 0x55bc1a5afd4d in heap_check_heap /data/src/10.4/storage/heap/_check.c:57
          #2 0x55bc1a5ac247 in hp_close /data/src/10.4/storage/heap/hp_close.c:39
          #3 0x55bc1a5ac095 in heap_close /data/src/10.4/storage/heap/hp_close.c:28
          #4 0x55bc1a58f2fe in ha_heap::close() /data/src/10.4/storage/heap/ha_heap.cc:140
          #5 0x55bc19561cf2 in handler::ha_close() /data/src/10.4/sql/handler.cc:2967
          #6 0x55bc19086401 in closefrm(TABLE*) /data/src/10.4/sql/table.cc:3993
          #7 0x55bc193476a8 in intern_close_table /data/src/10.4/sql/table_cache.cc:222
          #8 0x55bc19347d0f in tc_purge(bool) /data/src/10.4/sql/table_cache.cc:335
          #9 0x55bc1935fdaf in backup_flush /data/src/10.4/sql/backup.cc:207
          #10 0x55bc1935f645 in run_backup_stage(THD*, backup_stages) /data/src/10.4/sql/backup.cc:110
          #11 0x55bc18dc75ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:5288
          #12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #19 0x7f7e4b4c193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x62100022c580 is located 128 bytes inside of 4028-byte region [0x62100022c500,0x62100022d4bc)
      freed by thread T6 here:
          #0 0x7f7e4d345527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x55bc1a6bd5d9 in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x55bc1a6bcbdf in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x55bc1a68d628 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x55bc1a5aaff0 in hp_free_level /data/src/10.4/storage/heap/hp_block.c:151
          #5 0x55bc1a5ab6d6 in hp_clear_keys /data/src/10.4/storage/heap/hp_clear.c:100
          #6 0x55bc1a5ab1dc in hp_clear /data/src/10.4/storage/heap/hp_clear.c:38
          #7 0x55bc1a5ab043 in heap_clear /data/src/10.4/storage/heap/hp_clear.c:27
          #8 0x55bc1a5917eb in ha_heap::delete_all_rows() /data/src/10.4/storage/heap/ha_heap.cc:411
          #9 0x55bc1956df0e in handler::ha_delete_all_rows() /data/src/10.4/sql/handler.cc:4510
          #10 0x55bc1996f026 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:502
          #11 0x55bc18dc5490 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4985
          #12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7f7e4d34573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55bc1a6bc34f in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x55bc1a68cc4a in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x55bc1a5aa91b in hp_get_new_block /data/src/10.4/storage/heap/hp_block.c:81
          #4 0x55bc1a5aa032 in hp_find_free_hash /data/src/10.4/storage/heap/hp_write.c:411
          #5 0x55bc1a5a906e in hp_write_key /data/src/10.4/storage/heap/hp_write.c:214
          #6 0x55bc1a5a7a1a in heap_write /data/src/10.4/storage/heap/hp_write.c:52
          #7 0x55bc1a58ffbc in ha_heap::write_row(unsigned char*) /data/src/10.4/storage/heap/ha_heap.cc:239
          #8 0x55bc1957d9f1 in handler::ha_write_row(unsigned char*) /data/src/10.4/sql/handler.cc:6667
          #9 0x55bc18d1dd8e in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2024
          #10 0x55bc18d167cf in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1067
          #11 0x55bc18dc37cc in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4791
          #12 0x55bc18dda56e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8157
          #13 0x55bc18db2777 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1829
          #14 0x55bc18daf578 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1358
          #15 0x55bc19142cab in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1399
          #16 0x55bc191426a4 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1302
          #17 0x55bc19d0c93a in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
          #18 0x7f7e4d0db493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7f7e4d314bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55bc19d0cf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55bc18afd2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55bc18b123f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x55bc18b12af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x55bc18b12e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x55bc18b13ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x55bc18b11c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x55bc18afb16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7f7e4b3f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      Thread T6 created by T0 here:
          #0 0x7f7e4d314bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55bc19d0cf02 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
          #2 0x55bc18afd2e6 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
          #3 0x55bc18b123f2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6133
          #4 0x55bc18b12af7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6203
          #5 0x55bc18b12e87 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6301
          #6 0x55bc18b13ad3 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6459
          #7 0x55bc18b11c2d in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5791
          #8 0x55bc18afb16f in main /data/src/10.4/sql/main.cc:25
          #9 0x7f7e4b3f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/storage/heap/_check.c:114 check_one_key
      Shadow bytes around the buggy address:
        0x0c428003d860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428003d870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428003d880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428003d890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c428003d8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c428003d8b0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428003d8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428003d8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428003d8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428003d8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c428003d900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==6061==ABORTING
      

      Attachments

        Issue Links

          Activity

            People

              svoj Sergey Vojtovich
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.