SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)

SET @cmd:="CREATE DEFINER=u FUNCTION f(i INT) RETURNS CHAR BINARY READS SQL DATA RETURN CONCAT (1,i)";

PREPARE s FROM @cmd;

EXECUTE s;

EXECUTE s;

Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736

[Current thread is 1 (Thread 0x1496c982c700 (LWP 2632740))]

(gdb) bt

#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736

#1  0x0000563809d3529e in sp_process_definer (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_parse.cc:2811

#2  0x0000563809d354e7 in mysql_create_routine (thd=thd@entry=0x149678000d48, lex=lex@entry=0x14967801b798) at /test/10.11_dbg/sql/sql_parse.cc:3083

#3  0x0000563809d3b894 in mysql_execute_command (thd=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:5714

#4  0x0000563809d5f3ca in Prepared_statement::execute (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false) at /test/10.11_dbg/sql/sql_prepare.cc:5225

#5  0x0000563809d5f763 in Prepared_statement::execute_loop (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.11_dbg/sql/sql_prepare.cc:4648

#6  0x0000563809d5fdac in mysql_sql_stmt_execute (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_prepare.cc:3690

#7  0x0000563809d36c2f in mysql_execute_command (thd=thd@entry=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3961

#8  0x0000563809d24f90 in mysql_parse (thd=thd@entry=0x149678000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1496c982b300) at /test/10.11_dbg/sql/sql_parse.cc:8023

#9  0x0000563809d324ac in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149678000d48, packet=packet@entry=0x14967800af09 "EXECUTE s", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346

#10 0x0000563809d348f4 in do_command (thd=0x149678000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407

#11 0x0000563809e91067 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56380c332b78, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416

#12 0x0000563809e91536 in handle_one_connection (arg=0x56380c332b78) at /test/10.11_dbg/sql/sql_connect.cc:1318

#13 0x00001496e74b7609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#14 0x00001496e70a3133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

==2719313==ERROR: AddressSanitizer: use-after-poison on address 0x6290000872c8 at pc 0x55567855796f bp 0x1481a2c5be30 sp 0x1481a2c5be20

READ of size 8 at 0x6290000872c8 thread T13

    #0 0x55567855796e in get_current_user(THD*, LEX_USER*, bool) /test/10.11_opt_san/sql/sql_acl.cc:12863

    #1 0x555678a139e7 in sp_process_definer(THD*) /test/10.11_opt_san/sql/sql_parse.cc:2801

    #2 0x555678a15918 in mysql_create_routine /test/10.11_opt_san/sql/sql_parse.cc:3083

    #3 0x555678a2a48a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:5714

    #4 0x555678b24a0d in Prepared_statement::execute(String*, bool) /test/10.11_opt_san/sql/sql_prepare.cc:5223

    #5 0x555678b278ed in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/10.11_opt_san/sql/sql_prepare.cc:4646

    #6 0x555678b29c9b in mysql_sql_stmt_execute(THD*) /test/10.11_opt_san/sql/sql_prepare.cc:3690

    #7 0x555678a2cc8a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3961

    #8 0x5556789b1500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035

    #9 0x555678a060ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894

    #10 0x555678a113fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407

    #11 0x5556792fa4cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418

    #12 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312

    #13 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #14 0x1481c4ab4132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6290000872c8 is located 200 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)

allocated by thread T13 here:

    #0 0x555678185a08 in __interceptor_malloc (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x79c3a08)

    #1 0x55567c675824 in my_malloc /test/10.11_opt_san/mysys/my_malloc.c:90

    #2 0x55567c651600 in root_alloc /test/10.11_opt_san/mysys/my_alloc.c:66

    #3 0x55567c651600 in reset_root_defaults /test/10.11_opt_san/mysys/my_alloc.c:243

    #4 0x5556786a363c in THD::init_for_queries() /test/10.11_opt_san/sql/sql_class.cc:1385

    #5 0x5556792f4ee3 in prepare_new_connection_state(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1240

    #6 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1333

    #7 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1322

    #8 0x5556792f9509 in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1408

    #9 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312

    #10 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T13 created by T0 here:

    #0 0x5556780b2a45 in pthread_create (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x78f0a45)

    #1 0x5556781d5f83 in create_thread_to_handle_connection(CONNECT*) /test/10.11_opt_san/sql/mysqld.cc:6018

    #2 0x5556781e700f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_opt_san/sql/mysqld.cc:6139

    #3 0x5556781e8037 in handle_connections_sockets() /test/10.11_opt_san/sql/mysqld.cc:6263

    #4 0x5556781eaf94 in mysqld_main(int, char**) /test/10.11_opt_san/sql/mysqld.cc:5913

    #5 0x1481c49b9082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /test/10.11_opt_san/sql/sql_acl.cc:12863 in get_current_user(THD*, LEX_USER*, bool)

Shadow bytes around the buggy address:

  0x0c5280008e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280008e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280008e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280008e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c5280008e40: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

=>0x0c5280008e50: 00 00 00 f7 00 02 f7 02 f7[f7]f7 f7 f7 f7 f7 f7

  0x0c5280008e60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280008e70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280008e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280008e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280008ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==2719313==ABORTING