Server crash / ASAN use-after-poison in Binary_string::free_buffer / Item_func_sformat::~Item_func_sformat

create table t (a char(8), i int);

insert into t values ('foo',1),('bar',2);

create view v as select a, sum(i) from t group by a;

SELECT * FROM v WHERE a != SFORMAT('{}', 'qux');

# Cleanup

drop view v;

drop table t;

#3  <signal handler called>

#4  0x0000563a4d104360 in Binary_string::free_buffer (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:228

#5  0x0000563a4d1044ea in Binary_string::free (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:692

#6  0x0000563a4d10446a in Binary_string::~Binary_string (this=0xf1f271bed5f35828, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:275

#7  0x0000563a4d104640 in String::~String (this=0xf1f271bed5f35820, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:804

#8  0x0000563a4d76bdd2 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640

#9  0x0000563a4d76be34 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640

#10 0x0000563a4d2205db in Item::delete_self (this=0x7fcce40165a0) at /data/src/11.0/sql/item.h:2564

#11 0x0000563a4d212d84 in Query_arena::free_items (this=0x7fcce4000de0) at /data/src/11.0/sql/sql_class.cc:3909

#12 0x0000563a4d20cdaf in THD::cleanup_after_query (this=0x7fcce4000dc8) at /data/src/11.0/sql/sql_class.cc:2282

#13 0x0000563a4d2a664e in mysql_parse (thd=0x7fcce4000dc8, rawbuf=0x7fcce4015500 "SELECT * FROM v WHERE a != SFORMAT('{}', 'qux')", length=47, parser_state=0x7fccfad62370) at /data/src/11.0/sql/sql_parse.cc:8023

#14 0x0000563a4d2920c5 in dispatch_command (command=COM_QUERY, thd=0x7fcce4000dc8, packet=0x7fcce400ba69 "", packet_length=47, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1894

#15 0x0000563a4d290a2c in do_command (thd=0x7fcce4000dc8, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1407

#16 0x0000563a4d481df6 in do_handle_one_connection (connect=0x563a50b6b8a8, put_in_cache=true) at /data/src/11.0/sql/sql_connect.cc:1416

#17 0x0000563a4d481b6b in handle_one_connection (arg=0x563a50b5b4b8) at /data/src/11.0/sql/sql_connect.cc:1318

#18 0x0000563a4d99fc9e in pfs_spawn_thread (arg=0x563a50b6b418) at /data/src/11.0/storage/perfschema/pfs.cc:2201

#19 0x00007fcd042a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442

#20 0x00007fcd0432866c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

==593774==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7468 at pc 0x55c9edd8fe5b bp 0x7f4fca282400 sp 0x7f4fca2823f8

READ of size 8 at 0x6290000e7468 thread T5

    #0 0x55c9edd8fe5a in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640

    #1 0x55c9edd8ff51 in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640

    #2 0x55c9ed18a8f8 in Item::delete_self() /data/src/11.0/sql/item.h:2564

    #3 0x55c9ed16bc32 in Query_arena::free_items() /data/src/11.0/sql/sql_class.cc:3909

    #4 0x55c9ed15c845 in THD::cleanup_after_query() /data/src/11.0/sql/sql_class.cc:2282

    #5 0x55c9ed2be4c8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.0/sql/sql_parse.cc:8023

    #6 0x55c9ed294294 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.0/sql/sql_parse.cc:1894

    #7 0x55c9ed290fc6 in do_command(THD*, bool) /data/src/11.0/sql/sql_parse.cc:1407

    #8 0x55c9ed74c5f9 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1416

    #9 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318

    #10 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201

    #11 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442

    #12 0x7f4fd1b2866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6290000e7468 is located 4712 bytes inside of 16400-byte region [0x6290000e6200,0x6290000ea210)

allocated by thread T5 here:

    #0 0x7f4fd26b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69

    #1 0x55c9eef03fa1 in my_malloc /data/src/11.0/mysys/my_malloc.c:91

    #2 0x55c9eeedf5b5 in root_alloc /data/src/11.0/mysys/my_alloc.c:71

    #3 0x55c9eeee04aa in reset_root_defaults /data/src/11.0/mysys/my_alloc.c:248

    #4 0x55c9ed155ee0 in THD::init_for_queries() /data/src/11.0/sql/sql_class.cc:1386

    #5 0x55c9ed74b89e in prepare_new_connection_state(THD*) /data/src/11.0/sql/sql_connect.cc:1245

    #6 0x55c9ed74c03b in thd_prepare_connection(THD*) /data/src/11.0/sql/sql_connect.cc:1339

    #7 0x55c9ed74c553 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1406

    #8 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318

    #9 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201

    #10 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:

    #0 0x7f4fd2649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207

    #1 0x55c9ee31f5ea in my_thread_create /data/src/11.0/storage/perfschema/my_thread.h:52

    #2 0x55c9ee323c9e in pfs_spawn_thread_v1 /data/src/11.0/storage/perfschema/pfs.cc:2252

    #3 0x55c9eced878a in inline_mysql_thread_create /data/src/11.0/include/mysql/psi/mysql_thread.h:1139

    #4 0x55c9ecef06c6 in create_thread_to_handle_connection(CONNECT*) /data/src/11.0/sql/mysqld.cc:6126

    #5 0x55c9ecef0ceb in create_new_thread(CONNECT*) /data/src/11.0/sql/mysqld.cc:6188

    #6 0x55c9ecef0fd6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.0/sql/mysqld.cc:6250

    #7 0x55c9ecef195a in handle_connections_sockets() /data/src/11.0/sql/mysqld.cc:6374

    #8 0x55c9eceeff43 in mysqld_main(int, char**) /data/src/11.0/sql/mysqld.cc:6021

    #9 0x55c9eced78f8 in main /data/src/11.0/sql/main.cc:34

    #10 0x7f4fd1a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/src/11.0/sql/item_strfunc.h:640 in Item_func_sformat::~Item_func_sformat()

Shadow bytes around the buggy address:

  0x0c5280014e30: 00 00 00 00 00 00 00 00 00 f7 00 f7 03 f7 00 00

  0x0c5280014e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 07 f7

  0x0c5280014e50: 00 05 f7 00 00 00 f7 00 00 f7 04 f7 00 00 00 00

  0x0c5280014e60: 00 00 00 00 00 00 00 00 00 00 00 f7 00 02 f7 00

  0x0c5280014e70: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00

=>0x0c5280014e80: 00 00 00 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7

  0x0c5280014e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280014ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280014eb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280014ec0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280014ed0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==593774==ABORTING