free(): invalid pointer in free_root, SIGSEGV in free_tmp_table, ASAN heap-buffer-overflow in create_internal_tmp_table, assertion failure upon INTERSECT ALL

--source include/have_sequence.inc

CREATE TABLE t1 (a INT);

INSERT INTO t1 SELECT 0 FROM seq_1_to_48;

ALTER TABLE t1 ADD c VARBINARY(40000);

SET max_session_mem_used= 1048576;

SELECT * from t1 INTERSECT ALL SELECT * from t1;

# Cleanup

DROP TABLE t1;

==948497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000012f0c at pc 0x7f8800a9bf2d bp 0x7f87f72e9e50 sp 0x7f87f72e95f8

WRITE of size 56 at 0x620000012f0c thread T5

    #0 0x7f8800a9bf2c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)

    #1 0x559077f68d18 in create_internal_tmp_table(TABLE*, st_key*, st_maria_columndef*, st_maria_columndef**, unsigned long long) /data/src/10.5/sql/sql_select.cc:19494

    #2 0x559077f6aac8 in create_internal_tmp_table_from_heap(THD*, TABLE*, st_maria_columndef*, st_maria_columndef**, int, bool, bool*) /data/src/10.5/sql/sql_select.cc:19829

    #3 0x55907810599b in select_unit::write_record() /data/src/10.5/sql/sql_union.cc:420

    #4 0x559078105f42 in select_unit_ext::unfold_record(unsigned long long) /data/src/10.5/sql/sql_union.cc:501

    #5 0x5590781095bb in select_unit_ext::send_eof() /data/src/10.5/sql/sql_union.cc:866

    #6 0x559077f6e596 in do_select /data/src/10.5/sql/sql_select.cc:20226

    #7 0x559077efad9e in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4455

    #8 0x559077ef8389 in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4236

    #9 0x559078116ac1 in st_select_lex_unit::exec() /data/src/10.5/sql/sql_union.cc:2216

    #10 0x559078101be1 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:41

    #11 0x559077ece019 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407

    #12 0x559077e397ed in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210

    #13 0x559077e28ac4 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932

    #14 0x559077e44b02 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994

    #15 0x559077e1b4b0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1867

    #16 0x559077e17df6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1348

    #17 0x559078252e2f in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410

    #18 0x559078252798 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312

    #19 0x559078f4cb96 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201

    #20 0x7f88009be608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477

    #21 0x7f8800592102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)

0x620000012f0c is located 0 bytes to the right of 3724-byte region [0x620000012080,0x620000012f0c)

allocated by thread T5 here:

    #0 0x7f8800b41bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)

    #1 0x559079bd4b12 in sf_malloc /data/src/10.5/mysys/safemalloc.c:118

    #2 0x559079ba2386 in my_malloc /data/src/10.5/mysys/my_malloc.c:88

    #3 0x559079b7e446 in alloc_root /data/src/10.5/mysys/my_alloc.c:244

    #4 0x559079b7ebd6 in multi_alloc_root /data/src/10.5/mysys/my_alloc.c:317

    #5 0x559077f5b04c in Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) /data/src/10.5/sql/sql_select.cc:18345

    #6 0x559077f65faa in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.5/sql/sql_select.cc:19190

    #7 0x559078104a89 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.5/sql/sql_union.cc:329

    #8 0x5590781114aa in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/src/10.5/sql/sql_union.cc:1736

    #9 0x559078101bbe in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:39

    #10 0x559077ece019 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407

    #11 0x559077e397ed in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210

    #12 0x559077e28ac4 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932

    #13 0x559077e44b02 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994

    #14 0x559077e1b4b0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1867

    #15 0x559077e17df6 in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1348

    #16 0x559078252e2f in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410

    #17 0x559078252798 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312

    #18 0x559078f4cb96 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201

    #19 0x7f88009be608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:

    #0 0x7f8800a6e805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x559078f47b8a in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38

    #2 0x559078f4cf89 in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252

    #3 0x559077b1170e in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1321

    #4 0x559077b27565 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6025

    #5 0x559077b27bda in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6084

    #6 0x559077b27f30 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6149

    #7 0x559077b28b40 in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6276

    #8 0x559077b26d8c in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5671

    #9 0x559077b0fffc in main /data/src/10.5/sql/main.cc:25

    #10 0x7f88004970b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c) 

Shadow bytes around the buggy address:

  0x0c407fffa590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c407fffa5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c407fffa5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c407fffa5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c407fffa5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c407fffa5e0: 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c407fffa5f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c407fffa600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c407fffa610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c407fffa620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c407fffa630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==948497==ABORTING

...

Query (0x62b0000382a8): SELECT * from t1 INTERSECT ALL SELECT * from t1

Connection ID (thread ID): 4

Status: KILL_QUERY

free(): invalid size

200923 18:53:11 [ERROR] mysqld got signal 6 ;

#5  0x00007fd434c76859 in __GI_abort () at abort.c:79

#6  0x00007fd434ce13ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fd434e0b285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155

#7  0x00007fd434ce947c in malloc_printerr (str=str@entry=0x7fd434e094c6 "free(): invalid size") at malloc.c:5347

#8  0x00007fd434ceacbc in _int_free (av=<optimized out>, p=0x7fd4140401c0, have_lock=0) at malloc.c:4177

#9  0x000055db6de3fefd in free_root (root=root@entry=0x7fd42b616930, MyFlags=MyFlags@entry=0) at /data/src/10.5/mysys/my_alloc.c:411

#10 0x000055db6d6aa070 in free_tmp_table (thd=0x7fd414000c58, entry=0x7fd41403f4f0) at /data/src/10.5/sql/sql_select.cc:19955

#11 0x000055db6d71acfe in st_select_lex_unit::cleanup (this=0x7fd414004c30) at /data/src/10.5/sql/sql_union.cc:2621

#12 st_select_lex_unit::cleanup (this=0x7fd414004c30) at /data/src/10.5/sql/sql_union.cc:2535

#13 0x000055db6d71d582 in mysql_union (thd=thd@entry=0x7fd414000c58, lex=lex@entry=0x7fd414004b68, result=result@entry=0x7fd414012d28, unit=unit@entry=0x7fd414004c30, setup_tables_done_option=<optimized out>) at /data/src/10.5/sql/sql_union.cc:42

#14 0x000055db6d6cb5db in handle_select (thd=thd@entry=0x7fd414000c58, lex=lex@entry=0x7fd414004b68, result=result@entry=0x7fd414012d28, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.5/sql/sql_select.cc:407

#15 0x000055db6d65b181 in execute_sqlcom_select (thd=0x7fd414000c58, all_tables=0x7fd414010b58) at /data/src/10.5/sql/sql_parse.cc:6210

#16 0x000055db6d668fb0 in mysql_execute_command (thd=0x7fd414000c58) at /data/src/10.5/sql/sql_parse.cc:3932

#17 0x000055db6d65586f in mysql_parse (thd=0x7fd414000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_parse.cc:7994

#18 0x000055db6d6615c4 in dispatch_command (command=COM_QUERY, thd=0x7fd414000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_class.h:1254

#19 0x000055db6d663956 in do_command (thd=0x7fd414000c58) at /data/src/10.5/sql/sql_parse.cc:1348

#20 0x000055db6d767011 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55db7042b458, put_in_cache=put_in_cache@entry=true) at /data/src/10.5/sql/sql_connect.cc:1410

#21 0x000055db6d76748d in handle_one_connection (arg=arg@entry=0x55db7042b458) at /data/src/10.5/sql/sql_connect.cc:1312

#22 0x000055db6daee686 in pfs_spawn_thread (arg=0x55db700ae998) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#23 0x00007fd435184609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#24 0x00007fd434d73103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

...

Query (0x7fd4140104a0): SELECT * from t1 INTERSECT ALL SELECT * from t1

Connection ID (thread ID): 4

Status: KILL_QUERY

mariadbd: /data/src/10.5/sql/handler.cc:3056: int handler::ha_rnd_next(uchar*): Assertion `inited == RND' failed.

200923 18:54:58 [ERROR] mysqld got signal 6 ;

#3  <signal handler called>

#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50

#5  0x00007ff55b6d7859 in __GI_abort () at abort.c:79

#6  0x00007ff55b6d7729 in __assert_fail_base (fmt=0x7ff55b86d588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55975aa06953 "inited == RND", file=0x55975aa050cd "/data/src/10.5/sql/handler.cc", line=3056, function=<optimized out>) at assert.c:92

#7  0x00007ff55b6e8f36 in __GI___assert_fail (assertion=0x55975aa06953 "inited == RND", file=0x55975aa050cd "/data/src/10.5/sql/handler.cc", line=3056, function=0x55975aa068f0 "int handler::ha_rnd_next(uchar*)") at assert.c:101

#8  0x0000559759d11c78 in handler::ha_rnd_next (this=0x7ff54428d860, buf=0x7ff54428de20 "\377\376") at /data/src/10.5/sql/handler.cc:3056

#9  0x0000559759ac1b8d in select_unit_ext::send_eof (this=0x7ff5440167d0) at /data/src/10.5/sql/sql_union.cc:832

#10 0x0000559759a25f9d in do_select (join=0x7ff5440171e8, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20226

#11 0x00005597599f967e in JOIN::exec_inner (this=0x7ff5440171e8) at /data/src/10.5/sql/sql_select.cc:4455

#12 0x00005597599f879f in JOIN::exec (this=0x7ff5440171e8) at /data/src/10.5/sql/sql_select.cc:4236

#13 0x0000559759ac6bdc in st_select_lex_unit::exec (this=0x7ff544004f50) at /data/src/10.5/sql/sql_union.cc:2216

#14 0x0000559759abf1b2 in mysql_union (thd=0x7ff544000db8, lex=0x7ff544004e88, result=0x7ff5440167a8, unit=0x7ff544004f50, setup_tables_done_option=0) at /data/src/10.5/sql/sql_union.cc:41

#15 0x00005597599e9a1c in handle_select (thd=0x7ff544000db8, lex=0x7ff544004e88, result=0x7ff5440167a8, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:407

#16 0x00005597599acfe7 in execute_sqlcom_select (thd=0x7ff544000db8, all_tables=0x7ff5440145d8) at /data/src/10.5/sql/sql_parse.cc:6210

#17 0x00005597599a4330 in mysql_execute_command (thd=0x7ff544000db8) at /data/src/10.5/sql/sql_parse.cc:3932

#18 0x00005597599b1eba in mysql_parse (thd=0x7ff544000db8, rawbuf=0x7ff544013f20 "SELECT * from t1 INTERSECT ALL SELECT * from t1", length=47, parser_state=0x7ff5560a4510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:7994

#19 0x000055975999e1f8 in dispatch_command (command=COM_QUERY, thd=0x7ff544000db8, packet=0x7ff544009099 "SELECT * from t1 INTERSECT ALL SELECT * from t1", packet_length=47, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1867

#20 0x000055975999c9ec in do_command (thd=0x7ff544000db8) at /data/src/10.5/sql/sql_parse.cc:1348

#21 0x0000559759b4877c in do_handle_one_connection (connect=0x55975cc79db8, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410

#22 0x0000559759b484e4 in handle_one_connection (arg=0x55975d054fe8) at /data/src/10.5/sql/sql_connect.cc:1312

#23 0x000055975a0a49af in pfs_spawn_thread (arg=0x55975d0924c8) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#24 0x00007ff55bc00609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#25 0x00007ff55b7d4103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

200923 18:54:37 [ERROR] mysqld got signal 11 ;

#1  0x000055aef7428825 in my_write_core (sig=11) at /data/src/10.5/mysys/stacktrace.c:424

#2  0x000055aef6acd8ae in handle_fatal_signal (sig=11) at /data/src/10.5/sql/signal_handler.cc:330

#3  <signal handler called>

#4  0x000055aef67e9f9c in create_internal_tmp_table (table=0x7ff95abfaad0, keyinfo=0x7ff93005cc18, start_recinfo=0x7ff93005ccf8, recinfo=0x7ff930016828, options=2201171004160) at /data/src/10.5/sql/sql_select.cc:19516

#5  0x000055aef67ea7de in create_internal_tmp_table_from_heap (thd=0x7ff930000db8, table=0x7ff93005c230, start_recinfo=0x7ff93005ccf8, recinfo=0x7ff930016828, error=135, ignore_last_dupp_key_error=true, is_duplicate=0x7ff95abfb48f) at /data/src/10.5/sql/sql_select.cc:19829

#6  0x000055aef6886640 in select_unit::write_record (this=0x7ff9300167b0) at /data/src/10.5/sql/sql_union.cc:420

#7  0x000055aef6886886 in select_unit_ext::unfold_record (this=0x7ff9300167b0, cnt=3) at /data/src/10.5/sql/sql_union.cc:501

#8  0x000055aef6887d38 in select_unit_ext::send_eof (this=0x7ff9300167b0) at /data/src/10.5/sql/sql_union.cc:866

#9  0x000055aef67ebf9d in do_select (join=0x7ff9300171c8, procedure=0x0) at /data/src/10.5/sql/sql_select.cc:20226

#10 0x000055aef67bf67e in JOIN::exec_inner (this=0x7ff9300171c8) at /data/src/10.5/sql/sql_select.cc:4455

#11 0x000055aef67be79f in JOIN::exec (this=0x7ff9300171c8) at /data/src/10.5/sql/sql_select.cc:4236

#12 0x000055aef688cbdc in st_select_lex_unit::exec (this=0x7ff930004f50) at /data/src/10.5/sql/sql_union.cc:2216

#13 0x000055aef68851b2 in mysql_union (thd=0x7ff930000db8, lex=0x7ff930004e88, result=0x7ff930016788, unit=0x7ff930004f50, setup_tables_done_option=0) at /data/src/10.5/sql/sql_union.cc:41

#14 0x000055aef67afa1c in handle_select (thd=0x7ff930000db8, lex=0x7ff930004e88, result=0x7ff930016788, setup_tables_done_option=0) at /data/src/10.5/sql/sql_select.cc:407

#15 0x000055aef6772fe7 in execute_sqlcom_select (thd=0x7ff930000db8, all_tables=0x7ff9300145d8) at /data/src/10.5/sql/sql_parse.cc:6210

#16 0x000055aef676a330 in mysql_execute_command (thd=0x7ff930000db8) at /data/src/10.5/sql/sql_parse.cc:3932

#17 0x000055aef6777eba in mysql_parse (thd=0x7ff930000db8, rawbuf=0x7ff930013f20 "SELECT * from t1 INTERSECT ALL SELECT * from t1", length=47, parser_state=0x7ff95abfc510, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:7994

#18 0x000055aef67641f8 in dispatch_command (command=COM_QUERY, thd=0x7ff930000db8, packet=0x7ff930009099 "SELECT * from t1 INTERSECT ALL SELECT * from t1", packet_length=47, is_com_multi=false, is_next_command=false) at /data/src/10.5/sql/sql_parse.cc:1867

#19 0x000055aef67629ec in do_command (thd=0x7ff930000db8) at /data/src/10.5/sql/sql_parse.cc:1348

#20 0x000055aef690e77c in do_handle_one_connection (connect=0x55aefa8e7e88, put_in_cache=true) at /data/src/10.5/sql/sql_connect.cc:1410

#21 0x000055aef690e4e4 in handle_one_connection (arg=0x55aefa7bcd38) at /data/src/10.5/sql/sql_connect.cc:1312

#22 0x000055aef6e6a9af in pfs_spawn_thread (arg=0x55aefa8e7ac8) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#23 0x00007ff965d96609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#24 0x00007ff96596a103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

free(): invalid size

200923 19:07:57 [ERROR] mysqld got signal 6 ;

#5  0x00007fc543f9f859 in __GI_abort () at abort.c:79

#6  0x00007fc54400a3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fc544134285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155

#7  0x00007fc54401247c in malloc_printerr (str=str@entry=0x7fc5441324c6 "free(): invalid size") at malloc.c:5347

#8  0x00007fc544013cbc in _int_free (av=<optimized out>, p=0x7fc52c0401c0, have_lock=0) at malloc.c:4177

#9  0x0000564d42576efd in free_root (root=root@entry=0x7fc53e951930, MyFlags=MyFlags@entry=0) at /data/src/10.5/mysys/my_alloc.c:411

#10 0x0000564d41de1070 in free_tmp_table (thd=0x7fc52c000c58, entry=0x7fc52c03f4f0) at /data/src/10.5/sql/sql_select.cc:19955

#11 0x0000564d41e51cfe in st_select_lex_unit::cleanup (this=0x7fc52c004c30) at /data/src/10.5/sql/sql_union.cc:2621

#12 st_select_lex_unit::cleanup (this=0x7fc52c004c30) at /data/src/10.5/sql/sql_union.cc:2535

#13 0x0000564d41e54582 in mysql_union (thd=thd@entry=0x7fc52c000c58, lex=lex@entry=0x7fc52c004b68, result=result@entry=0x7fc52c012d28, unit=unit@entry=0x7fc52c004c30, setup_tables_done_option=<optimized out>) at /data/src/10.5/sql/sql_union.cc:42

#14 0x0000564d41e025db in handle_select (thd=thd@entry=0x7fc52c000c58, lex=lex@entry=0x7fc52c004b68, result=result@entry=0x7fc52c012d28, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.5/sql/sql_select.cc:407

#15 0x0000564d41d92181 in execute_sqlcom_select (thd=0x7fc52c000c58, all_tables=0x7fc52c010b58) at /data/src/10.5/sql/sql_parse.cc:6210

#16 0x0000564d41d9ffb0 in mysql_execute_command (thd=0x7fc52c000c58) at /data/src/10.5/sql/sql_parse.cc:3932

#17 0x0000564d41d8c86f in mysql_parse (thd=0x7fc52c000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_parse.cc:7994

#18 0x0000564d41d985c4 in dispatch_command (command=COM_QUERY, thd=0x7fc52c000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_class.h:1254

#19 0x0000564d41d9a956 in do_command (thd=0x7fc52c000c58) at /data/src/10.5/sql/sql_parse.cc:1348

#20 0x0000564d41e9e011 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x564d45026458, put_in_cache=put_in_cache@entry=true) at /data/src/10.5/sql/sql_connect.cc:1410

#21 0x0000564d41e9e48d in handle_one_connection (arg=arg@entry=0x564d45026458) at /data/src/10.5/sql/sql_connect.cc:1312

#22 0x0000564d42225686 in pfs_spawn_thread (arg=0x564d44ca9998) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#23 0x00007fc5444ad609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#24 0x00007fc54409c103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

200923 19:09:44 [ERROR] mysqld got signal 11 ;

#3  <signal handler called>

#4  0x00005580051e101d in create_internal_tmp_table (table=table@entry=0x7fbc6a63be90, keyinfo=0x7fbc5803fdd8, start_recinfo=start_recinfo@entry=0x7fbc5803feb8, recinfo=recinfo@entry=0x7fbc58012dc8, options=<optimized out>) at /data/src/10.5/sql/sql_select.cc:19516

#5  0x00005580051e1fc0 in create_internal_tmp_table_from_heap (thd=0x7fbc58000c58, table=0x7fbc5803f4f0, start_recinfo=0x7fbc5803feb8, recinfo=recinfo@entry=0x7fbc58012dc8, error=error@entry=135, ignore_last_dupp_key_error=ignore_last_dupp_key_error@entry=true, is_duplicate=0x7fbc6a63c760) at /data/src/10.5/sql/sql_lex.h:3147

#6  0x000055800524f5e8 in select_unit::write_record (this=this@entry=0x7fbc58012d50) at /data/src/10.5/sql/sql_union.cc:420

#7  0x000055800524fc18 in select_unit_ext::unfold_record (this=this@entry=0x7fbc58012d50, cnt=6, cnt@entry=48) at /data/src/10.5/sql/sql_union.cc:501

#8  0x0000558005251274 in select_unit_ext::send_eof (this=0x7fbc58012d50) at /data/src/10.5/sql/sql_union.cc:866

#9  0x00005580052068cf in do_select (procedure=<optimized out>, join=0x7fbc58013768) at /data/src/10.5/sql/sql_select.cc:20226

#10 JOIN::exec_inner (this=0x7fbc58013768) at /data/src/10.5/sql/sql_select.cc:4455

#11 0x0000558005206c29 in JOIN::exec (this=0x7fbc58013768) at /data/src/10.5/sql/sql_select.cc:4236

#12 0x0000558005253a3c in st_select_lex_unit::exec (this=0x7fbc58004c30) at /data/src/10.5/sql/sql_union.cc:2216

#13 0x0000558005257578 in mysql_union (thd=thd@entry=0x7fbc58000c58, lex=lex@entry=0x7fbc58004b68, result=result@entry=0x7fbc58012d28, unit=unit@entry=0x7fbc58004c30, setup_tables_done_option=<optimized out>) at /data/src/10.5/sql/sql_union.cc:41

#14 0x00005580052055db in handle_select (thd=thd@entry=0x7fbc58000c58, lex=lex@entry=0x7fbc58004b68, result=result@entry=0x7fbc58012d28, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.5/sql/sql_select.cc:407

#15 0x0000558005195181 in execute_sqlcom_select (thd=0x7fbc58000c58, all_tables=0x7fbc58010b58) at /data/src/10.5/sql/sql_parse.cc:6210

#16 0x00005580051a2fb0 in mysql_execute_command (thd=0x7fbc58000c58) at /data/src/10.5/sql/sql_parse.cc:3932

#17 0x000055800518f86f in mysql_parse (thd=0x7fbc58000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_parse.cc:7994

#18 0x000055800519b5c4 in dispatch_command (command=COM_QUERY, thd=0x7fbc58000c58, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.5/sql/sql_class.h:1254

#19 0x000055800519d956 in do_command (thd=0x7fbc58000c58) at /data/src/10.5/sql/sql_parse.cc:1348

#20 0x00005580052a1011 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x558007ab9458, put_in_cache=put_in_cache@entry=true) at /data/src/10.5/sql/sql_connect.cc:1410

#21 0x00005580052a148d in handle_one_connection (arg=arg@entry=0x558007ab9458) at /data/src/10.5/sql/sql_connect.cc:1312

#22 0x0000558005628686 in pfs_spawn_thread (arg=0x55800773c998) at /data/src/10.5/storage/perfschema/pfs.cc:2201

#23 0x00007fbc70198609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#24 0x00007fbc6fd87103 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

==949896== Thread 6:

==949896== Invalid write of size 8

==949896==    at 0x4842967: memset (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

==949896==    by 0xAB5E23: create_internal_tmp_table(TABLE*, st_key*, st_maria_columndef*, st_maria_columndef**, unsigned long long) (sql_select.cc:19494)

==949896==    by 0xAB67C7: create_internal_tmp_table_from_heap(THD*, TABLE*, st_maria_columndef*, st_maria_columndef**, int, bool, bool*) (sql_select.cc:19829)

==949896==    by 0xB5498E: select_unit::write_record() (sql_union.cc:420)

==949896==    by 0xB54BD3: select_unit_ext::unfold_record(unsigned long long) (sql_union.cc:501)

==949896==    by 0xB56085: select_unit_ext::send_eof() (sql_union.cc:866)

==949896==    by 0xAB7F95: do_select(JOIN*, Procedure*) (sql_select.cc:20226)

==949896==    by 0xA8B192: JOIN::exec_inner() (sql_select.cc:4455)

==949896==    by 0xA8A2B0: JOIN::exec() (sql_select.cc:4236)

==949896==    by 0xB5AF77: st_select_lex_unit::exec() (sql_union.cc:2216)

==949896==    by 0xB534F9: mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) (sql_union.cc:41)

==949896==    by 0xA7B38F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:407)

==949896==    by 0xA3DF86: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6210)

==949896==    by 0xA35299: mysql_execute_command(THD*) (sql_parse.cc:3932)

==949896==    by 0xA42F29: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7994)

==949896==    by 0xA2F115: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1867)

==949896==    by 0xA2D909: do_command(THD*) (sql_parse.cc:1348)

==949896==    by 0xBE03EB: do_handle_one_connection(CONNECT*, bool) (sql_connect.cc:1410)

==949896==    by 0xBE0153: handle_one_connection (sql_connect.cc:1312)

==949896==    by 0x1159426: pfs_spawn_thread (pfs.cc:2201)

==949896==  Address 0xbd8ece8 is 0 bytes after a block of size 3,608 alloc'd

==949896==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)

==949896==    by 0x1750EB6: my_malloc (my_malloc.c:88)

==949896==    by 0x1740BB9: alloc_root (my_alloc.c:190)

==949896==    by 0x1740DE6: multi_alloc_root (my_alloc.c:317)

==949896==    by 0xAB0FF4: Create_tmp_table::start(THD*, TMP_TABLE_PARAM*, st_mysql_const_lex_string const*) (sql_select.cc:18345)

==949896==    by 0xAB4DFB: create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) (sql_select.cc:19190)

==949896==    by 0xB544B0: select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) (sql_union.cc:329)

==949896==    by 0xB592A0: st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) (sql_union.cc:1736)

==949896==    by 0xB534DF: mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) (sql_union.cc:39)

==949896==    by 0xA7B38F: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:407)

==949896==    by 0xA3DF86: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:6210)

==949896==    by 0xA35299: mysql_execute_command(THD*) (sql_parse.cc:3932)

==949896==    by 0xA42F29: mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) (sql_parse.cc:7994)

==949896==    by 0xA2F115: dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) (sql_parse.cc:1867)

==949896==    by 0xA2D909: do_command(THD*) (sql_parse.cc:1348)

==949896==    by 0xBE03EB: do_handle_one_connection(CONNECT*, bool) (sql_connect.cc:1410)

==949896==    by 0xBE0153: handle_one_connection (sql_connect.cc:1312)

==949896==    by 0x1159426: pfs_spawn_thread (pfs.cc:2201)

==949896==    by 0x48C6608: start_thread (pthread_create.c:477)

==949896==    by 0x4D55102: clone (clone.S:95)

==949896==