make_aggr_tables_info: Use-After-Poison at /mariadb-11.3.0/sql/item.cc:3042

Run these queries in debug build:

CREATE TABLE t0 ( c31 DOUBLE ( 178 , 27 ) ) ;
INSERT INTO t0 VALUES ( DEFAULT ) , ( DEFAULT ) ;
CREATE INDEX i0 ON t0 ( c31 ) ;
INSERT INTO t0 VALUES ( -114 ) , ( 123 ) ;
WITH t1 AS ( SELECT BIT_OR( ROUND ( -6977545922884371489 ) IN ( SELECT -47 AS c34 ) ) OVER ( PARTITION BY -7669982219226196112 ) | ORD ( 70 ) AS c27 , COUNT( DISTINCT REVERSE ( RAND ( ) % ASCII ( 78 ) ) >> CONVERT ( -13 , UNSIGNED ) % EXISTS ( SELECT RIGHT ( -102 , 'x6n}|yH-L1mmg' ) AS c51 , 62 AS c21 ) , RAND ( ) % HEX ( 1 ) - -127 = 54 NOT IN ( 51 , 48 , 8 <= -84 , RAND ( ) IS NOT NULL IS NOT TRUE ) ) << RAND ( ) & ( SELECT 80 AS c23 WHERE LOG ( -40 , -109 ) <= 43 HAVING RAND ( ) LIMIT 1 ) AS c3 ) SELECT t1 . c27 AS c58 FROM t1 LEFT OUTER JOIN t0 AS t2 ON TRUE WHERE EXISTS ( SELECT t3 . c17 AS c16 FROM ( SELECT BIN ( -60 ) ^ t1 . c27 AS c17 FROM t1 ) AS t3 JOIN t0 ON t3 . c17 = t1 . c27 WHERE CASE -122 WHEN 91 THEN 91 ELSE -97 END = c27 ) = 70 ;

Will trigger use-after-poison.
ASAN info:
=================================================================
==90407==ERROR: AddressSanitizer: use-after-poison on address 0x619000177e30 at pc 0x00000133140a bp 0x7fffd24293c0 sp 0x7fffd24293b8
READ of size 8 at 0x619000177e30 thread T15
#0 0x1331409 in Item_field::Item_field(THD*, Field*) /home/wx/mariadb-11.3.0/sql/item.cc:3042:38
#1 0x15ef5aa in Item_sum::get_tmp_table_item(THD*) /home/wx/mariadb-11.3.0/sql/item_sum.cc:563:33
#2 0xc2f1a8 in change_refs_to_tmp_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, List<Item>&, unsigned int, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28691:29
#3 0xc2f1a8 in JOIN::make_aggr_tables_info() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3798:11
#4 0xbfc65f in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438:9
#5 0xc13910 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650:9
#6 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
#7 0xa54c75 in mysql_derived_optimize(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1037:23
#8 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#9 0xc1312c in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2442:6
#10 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
#11 0xbe4fde in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235:19
#12 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#13 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#14 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#15 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#16 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#17 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#18 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#19 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#20 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#21 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#22 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x619000177e30 is located 944 bytes inside of 1040-byte region [0x619000177a80,0x619000177e90)
allocated by thread T15 here:
#0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)
#1 0x22a6308 in my_malloc /home/wx/mariadb-11.3.0/mysys/my_malloc.c:89:29
#2 0x228fff9 in root_alloc /home/wx/mariadb-11.3.0/mysys/my_alloc.c:71:10
#3 0x228fff9 in alloc_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:339:29
#4 0x10f862d in Field::operator new(unsigned long, st_mem_root*) /home/wx/mariadb-11.3.0/sql/field.h:771:12
#5 0x10f862d in Type_handler_longlong::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:8156:10
#6 0x10cac4a in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3573:10
#7 0x10caa4e in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3558:17
#8 0xc871ec in Item::tmp_table_field_from_field_type(st_mem_root*, TABLE*) /home/wx/mariadb-11.3.0/sql/item.h:914:15
#9 0xc871ec in Item::tmp_table_field_from_field_type_maybe_null(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20534:16
#10 0xc8940f in create_tmp_field(TABLE*, Item*, Item**, Field, Field*, bool, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20823:24
#11 0xc8c548 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21261:9
#12 0xc36790 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21920:13
#13 0xc38fed in JOIN::create_postjoin_aggr_table(st_join_table*, List<Item>, st_order, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:4215:17
#14 0xc2eab9 in JOIN::make_aggr_tables_info() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3775:9
#15 0xbfc65f in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438:9
#16 0xc13910 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650:9
#17 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
#18 0xa54c75 in mysql_derived_optimize(THD*, LEX*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:1037:23
#19 0xa57cc1 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home/wx/mariadb-11.3.0/sql/sql_derived.cc:200:15
#20 0xc1312c in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2442:6
#21 0xbfc155 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944:10
#22 0xbe4fde in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235:19
#23 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10
#24 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12
#25 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12
#26 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18
#27 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7
#28 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17
#29 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11
#30 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5
#31 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3
#32 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

Thread T15 created by T0 here:
#0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)
#1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10
#2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15
#3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11
#4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19
#5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3
#6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5
#7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9
#8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3
#9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: use-after-poison /home/wx/mariadb-11.3.0/sql/item.cc:3042:38 in Item_field::Item_field(THD*, Field*)
Shadow bytes around the buggy address:
0x0c3280026f70: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280026f80: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
0x0c3280026f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280026fa0: 00 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00
0x0c3280026fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280026fc0: 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3280026fd0: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280026fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280026ff0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c3280027000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280027010: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==90407==ABORTING

And run these queries in release build:

CREATE TABLE t0 ( c4 INT , INDEX i0 ( c4 ASC ) ) ;
INSERT INTO t0 VALUES ( DEFAULT ) , ( DEFAULT ) ;
UPDATE t0 SET c4 = 77 WHERE c4 = EXISTS ( SELECT 5 = COUNT( DISTINCT CONVERT ( 334126326737020548 , UNSIGNED ) % RAND ( ) - RAND ( 2366243224093960513 ) << + EXISTS ( SELECT 31 AS c43 ) IS NULL , ROUND ( -111 , 6 ) SOUNDS LIKE TRIM( TRAILING FROM -60 ) AND RAND ( ) ) << MAX( DISTINCT SIN ( 127 ) + RAND ( ) << SQRT ( 56 NOT IN ( -54 , -29 , 50 ) ) - -81 ) OVER ( PARTITION BY 109 ) SOUNDS LIKE ~ UNHEX ( -51 ) / REPEAT ( 3 , SIN ( 128 ) IS TRUE ) >> INSTR ( 1431933883031988488 , 'yj/5|&,d]`4,}5dmO;PhHIzvu[F$al-c*PBf<tt_P!cu' ) % SIN ( 8875819709143325833 ) AS c11 , -16 AS c32 ) ORDER BY t0 . c4 ;

Will trigger Segmentation fault.
GDB info:
Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd242e300 (LWP 3328)]
0x0000000001330ca6 in Item_field::Item_field (this=0x6290000b4360, thd=0x62b00016c218, f=0x61900008a608) at /home/wx/mariadb-11.3.0/sql/item.cc:3042
3042 Lex_cstring_strlen(*f->table_name), f->field_name),
(gdb) p *f->table_name
Cannot access memory at address 0x0

#0 0x0000000001330ca6 in Item_field::Item_field (this=0x6290000b9490, thd=0x62b00016c218, f=0x619000122e08) at /home/wx/mariadb-11.3.0/sql/item.cc:3042
#1 0x00000000015ef5ab in Item_sum::get_tmp_table_item (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/item_sum.cc:563
#2 0x0000000000c2f1a9 in change_refs_to_tmp_fields (thd=<optimized out>, ref_pointer_array=..., res_selected_fields=..., res_all_fields=..., elements=2, all_fields=...) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28691
#3 JOIN::make_aggr_tables_info (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3798
#4 0x0000000000bfc660 in JOIN::optimize_stage2 (this=0x6290000b2908) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:3438
#5 0x0000000000c13911 in JOIN::optimize_inner (this=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
#6 0x0000000000bfc156 in JOIN::optimize (this=0x6290000b2908) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#7 0x0000000000ab5421 in st_select_lex::optimize_unflattened_subqueries (this=<optimized out>, const_only=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4916
#8 0x0000000000e163fb in Sql_cmd_update::update_single_table (this=0x6290000920f8, thd=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:421
#9 0x0000000000e2cf6a in Sql_cmd_update::execute_inner (this=<optimized out>, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_update.cc:3065
#10 0x0000000000cc40b2 in Sql_cmd_dml::execute (this=0x6290000920f8, thd=0x62b00016c218) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:33350
#11 0x0000000000b2ce82 in mysql_execute_command (thd=0x62b00016c218, is_called_from_prepared_stmt=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:4361
#12 0x0000000000b1fe79 in mysql_parse (thd=thd@entry=0x62b00016c218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, parser_state@entry=0x7fffd242ca80) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#13 0x0000000000b19069 in dispatch_command (command=<optimized out>, thd=0x62b00016c218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#14 0x0000000000b20b71 in do_command (thd=0x62b00016c218, blocking=true) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#15 0x0000000000f03476 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#16 0x0000000000f02eb9 in handle_one_connection (arg=arg@entry=0x608001bcedb8) at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#17 0x0000000001a00c1b in pfs_spawn_thread (arg=0x617000005498) at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#18 0x00007ffff79f7609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#19 0x00007ffff770f133 in clone () from /lib/x86_64-linux-gnu/libc.so.6