AddressSanitizer: heap-use-after-free in ha_maria::implicit_commit upon ALTER under lock

CREATE TABLE t1 (pk INT PRIMARY KEY, a INT) ENGINE=Aria;

CREATE VIEW v1 AS SELECT * FROM t1;

CREATE TABLE t2 (f INT) ENGINE=Aria;

LOCK TABLES t1 READ, t2 WRITE, v1 WRITE;

ALTER TABLE t1 CHANGE COLUMN a b INT AFTER pk;

# Cleanup

UNLOCK TABLES;

DROP VIEW v1;

DROP TABLE t1, t2;

==22096==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000c8218 at pc 0x56373cec287d bp 0x7f74d99ec7f0 sp 0x7f74d99ec7e8

READ of size 8 at 0x6290000c8218 thread T6

    #0 0x56373cec287c in ha_maria::implicit_commit(THD*, bool) /data/src/10.1/storage/maria/ha_maria.cc:2922

    #1 0x56373caa3659 in ha_commit_trans(THD*, bool) /data/src/10.1/sql/handler.cc:1391

    #2 0x56373c8e4f8c in trans_commit_implicit(THD*) /data/src/10.1/sql/transaction.cc:294

    #3 0x56373c65bdf4 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:5555

    #4 0x56373c65d93e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7209

    #5 0x56373c6640b5 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1/sql/sql_parse.cc:1499

    #6 0x56373c66a696 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1131

    #7 0x56373c8be023 in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1331

    #8 0x56373c8be5a9 in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242

    #9 0x56373d101bad in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1861

    #10 0x7f74e500c4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

    #11 0x7f74e3a22d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x6290000c8218 is located 24 bytes inside of 18224-byte region [0x6290000c8200,0x6290000cc930)

freed by thread T6 here:

    #0 0x7f74e52e3a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)

    #1 0x56373d6668ea in my_free /data/src/10.1/mysys/my_malloc.c:218

previously allocated by thread T6 here:

    #0 0x7f74e52e3d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)

    #1 0x56373d666708 in my_malloc /data/src/10.1/mysys/my_malloc.c:101

Thread T6 created by T0 here:

    #0 0x7f74e5252f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)

    #1 0x56373d10c0bc in spawn_thread_v1 /data/src/10.1/storage/perfschema/pfs.cc:1911

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.1/storage/maria/ha_maria.cc:2922 in ha_maria::implicit_commit(THD*, bool)

Shadow bytes around the buggy address:

  0x0c5280010ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280011000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280011010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280011020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280011030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

=>0x0c5280011040: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c5280011050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c5280011060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c5280011070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c5280011080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c5280011090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==22096==ABORTING