ASAN errors in Binary_string::alloced_length / reset_stmt_params

CREATE TABLE t (a INT);

PREPARE stmt FROM 'BEGIN NOT ATOMIC SELECT * FROM t LIMIT ?; END';

EXECUTE stmt USING 1;

ALTER TABLE t ADD COLUMN f INT;

EXECUTE stmt USING 1;

# Cleanup

DROP TABLE t;

==252874==ERROR: AddressSanitizer: use-after-poison on address 0x625000176884 at pc 0x5643dd37a691 bp 0x7ff15f355980 sp 0x7ff15f355978

READ of size 4 at 0x625000176884 thread T5

    #0 0x5643dd37a690 in Binary_string::alloced_length() const /data/src/11.2/sql/sql_string.h:527

    #1 0x5643ddff949b in Item_param::reset() /data/src/11.2/sql/item.cc:4473

    #2 0x5643dd6ed5a4 in reset_stmt_params /data/src/11.2/sql/sql_prepare.cc:3090

    #3 0x5643dd6f5e90 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/11.2/sql/sql_prepare.cc:4480

    #4 0x5643dd6ef009 in mysql_sql_stmt_execute(THD*) /data/src/11.2/sql/sql_prepare.cc:3480

    #5 0x5643dd64ee24 in mysql_execute_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:3973

    #6 0x5643dd668eda in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.2/sql/sql_parse.cc:7808

    #7 0x5643dd6411fc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.2/sql/sql_parse.cc:1893

    #8 0x5643dd63df39 in do_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:1406

    #9 0x5643ddb0beda in do_handle_one_connection(CONNECT*, bool) /data/src/11.2/sql/sql_connect.cc:1418

    #10 0x5643ddb0b89b in handle_one_connection /data/src/11.2/sql/sql_connect.cc:1320

    #11 0x5643de73d0bb in pfs_spawn_thread /data/src/11.2/storage/perfschema/pfs.cc:2201

    #12 0x7ff166aa8043 in start_thread nptl/pthread_create.c:442

    #13 0x7ff166b2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x625000176884 is located 8068 bytes inside of 8208-byte region [0x625000174900,0x625000176910)

allocated by thread T5 here:

    #0 0x7ff1676b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69

    #1 0x5643df333637 in my_malloc /data/src/11.2/mysys/my_malloc.c:93

    #2 0x5643df30e743 in root_alloc /data/src/11.2/mysys/my_alloc.c:71

    #3 0x5643df30ef9a in init_alloc_root /data/src/11.2/mysys/my_alloc.c:184

    #4 0x5643dda5ea06 in init_sql_alloc(unsigned int, st_mem_root*, unsigned int, unsigned int, unsigned long) /data/src/11.2/sql/thr_malloc.cc:64

    #5 0x5643dd3e1c12 in sp_head::create(sp_package*, Sp_handler const*, enum_sp_aggregate_type, st_mem_root*) /data/src/11.2/sql/sp_head.cc:519

    #6 0x5643dd5e97db in LEX::make_sp_head(THD*, sp_name const*, Sp_handler const*, enum_sp_aggregate_type) /data/src/11.2/sql/sql_lex.cc:7379

    #7 0x5643dd5ec90a in LEX::maybe_start_compound_statement(THD*) /data/src/11.2/sql/sql_lex.cc:7818

    #8 0x5643dde45560 in MYSQLparse(THD*) /data/src/11.2/sql/sql_yacc.yy:18627

    #9 0x5643dd67789f in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /data/src/11.2/sql/sql_parse.cc:10166

    #10 0x5643dd6f3b4e in Prepared_statement::prepare(char const*, unsigned int) /data/src/11.2/sql/sql_prepare.cc:4173

    #11 0x5643dd6eb72c in mysql_sql_stmt_prepare(THD*) /data/src/11.2/sql/sql_prepare.cc:2817

    #12 0x5643dd64ee10 in mysql_execute_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:3968

    #13 0x5643dd668eda in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.2/sql/sql_parse.cc:7808

    #14 0x5643dd6411fc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.2/sql/sql_parse.cc:1893

    #15 0x5643dd63df39 in do_command(THD*, bool) /data/src/11.2/sql/sql_parse.cc:1406

    #16 0x5643ddb0beda in do_handle_one_connection(CONNECT*, bool) /data/src/11.2/sql/sql_connect.cc:1418

    #17 0x5643ddb0b89b in handle_one_connection /data/src/11.2/sql/sql_connect.cc:1320

    #18 0x5643de73d0bb in pfs_spawn_thread /data/src/11.2/storage/perfschema/pfs.cc:2201

    #19 0x7ff166aa8043 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:

    #0 0x7ff167649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207

    #1 0x5643de738df6 in my_thread_create /data/src/11.2/storage/perfschema/my_thread.h:52

    #2 0x5643de73d4aa in pfs_spawn_thread_v1 /data/src/11.2/storage/perfschema/pfs.cc:2252

    #3 0x5643dd28d85b in inline_mysql_thread_create /data/src/11.2/include/mysql/psi/mysql_thread.h:1139

    #4 0x5643dd2a5a57 in create_thread_to_handle_connection(CONNECT*) /data/src/11.2/sql/mysqld.cc:6174

    #5 0x5643dd2a607c in create_new_thread(CONNECT*) /data/src/11.2/sql/mysqld.cc:6236

    #6 0x5643dd2a6367 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.2/sql/mysqld.cc:6298

    #7 0x5643dd2a6ceb in handle_connections_sockets() /data/src/11.2/sql/mysqld.cc:6422

    #8 0x5643dd2a52d4 in mysqld_main(int, char**) /data/src/11.2/sql/mysqld.cc:6069

    #9 0x5643dd28c968 in main /data/src/11.2/sql/main.cc:34

    #10 0x7ff166a461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/src/11.2/sql/sql_string.h:527 in Binary_string::alloced_length() const

Shadow bytes around the buggy address:

  0x0c4a80026cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a80026cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c4a80026ce0: 00 f7 05 f7 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7

  0x0c4a80026cf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c4a80026d00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

=>0x0c4a80026d10:[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00

  0x0c4a80026d20: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a80026d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a80026d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a80026d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c4a80026d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==252874==ABORTING

231107  1:28:47 [ERROR] mysqld got signal 6 ;

Sorry, we probably made a mistake, and this is a bug.

Your assistance in bug reporting will enable us to fix this for the next release.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 11.2.2-MariaDB-debug-log source revision: 7667833d84b69ed328fef692d5bb67cd2ba0f3f0

key_buffer_size=1048576

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to 

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63994 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62c0000c0218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7ff15f357bd0 thread_stack 0x100000

sanitizer_common/sanitizer_common_interceptors.inc:4277(__interceptor_backtrace.part.0)[0x7ff167651f31]

mysys/stacktrace.c:215(my_print_stacktrace)[0x5643df344775]

sql/signal_handler.cc:238(handle_fatal_signal)[0x5643ddf7ad4b]

libc_sigaction.c:0(__restore_rt)[0x7ff166a5afd0]

nptl/pthread_kill.c:44(__pthread_kill_implementation)[0x7ff166aa9d3c]

posix/raise.c:27(__GI_raise)[0x7ff166a5af32]

stdlib/abort.c:81(__GI_abort)[0x7ff166a45472]

sanitizer_common/sanitizer_posix_libcdep.cpp:137(__sanitizer::Abort())[0x7ff1676d650f]

sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7ff1676e2ba1]

asan/asan_report.cpp:190(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7ff1676c1f5e]

asan/asan_report.cpp:479(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7ff1676c14c6]

asan/asan_rtl.cpp:122(__asan_report_load4)[0x7ff1676c251c]

sql/sql_string.h:527(Binary_string::alloced_length() const)[0x5643dd37a691]

sql/item.cc:4473(Item_param::reset())[0x5643ddff949c]

sql/sql_prepare.cc:3091(reset_stmt_params(Prepared_statement*))[0x5643dd6ed5a5]

sql/sql_prepare.cc:4497(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x5643dd6f5e91]

sql/sql_prepare.cc:3481(mysql_sql_stmt_execute(THD*))[0x5643dd6ef00a]

sql/sql_parse.cc:3974(mysql_execute_command(THD*, bool))[0x5643dd64ee25]

sql/sql_parse.cc:7808(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x5643dd668edb]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x5643dd6411fd]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x5643dd63df3a]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x5643ddb0bedb]

sql/sql_connect.cc:1322(handle_one_connection)[0x5643ddb0b89c]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x5643de73d0bc]

nptl/pthread_create.c:442(start_thread)[0x7ff166aa8044]

x86_64/clone3.S:83(clone3)[0x7ff166b2861c]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62d00019c198): BEGIN NOT ATOMIC SELECT * FROM t LIMIT ?; END

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,cset_narrowing=off