ASAN: heap-use-after-free in memcpy from sql/protocol.cc on SELECT

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');

CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;

INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);

CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

SELECT * FROM t2 WHERE c=0;

==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8

READ of size 1 at 0x60b0000274ea thread T12

    #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)

    #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61

    #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491

    #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157

    #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379

    #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643

    #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359

    #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189

    #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090

    #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080

    #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100

    #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000

    #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988

    #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774

    #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304

    #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630

    #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093

    #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942

    #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815

    #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892

    #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405

    #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445

    #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347

    #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

    #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)

freed by thread T12 here:

    #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)

    #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183

    #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377

    #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380

    #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803

    #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751

    #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028

    #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288

    #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49

    #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000

    #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988

    #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774

    #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304

    #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630

    #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093

    #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942

    #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815

    #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892

    #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405

    #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445

    #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347

    #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

previously allocated by thread T12 here:

    #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)

    #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93

    #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231

    #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547

    #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398

    #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515

    #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082

    #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718

    #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195

    #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065

    #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968

    #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657

    #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966

    #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290

    #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630

    #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093

    #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942

    #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815

    #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892

    #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405

    #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445

    #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347

    #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

Thread T12 created by T0 here:

    #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)

    #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079

    #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203

    #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316

    #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974

    #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy

Shadow bytes around the buggy address:

  0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa

  0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa

  0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd

  0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa

=>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd

  0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==168604==ABORTING

240426 14:06:32 [ERROR] mysqld got signal 6 ;

==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8

READ of size 1 at 0x60b000034a0a thread T10

    #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)

    #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61

    #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491

    #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527

    #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157

    #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379

    #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643

    #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483

    #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359

    #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189

    #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090

    #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100

    #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000

    #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988

    #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774

    #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304

    #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630

    #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093

    #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942

    #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815

    #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892

    #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405

    #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445

    #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347

    #24 0x14988048f189 in start_thread nptl/pthread_create.c:444

    #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)

freed by thread T10 here:

    #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)

    #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221

    #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183

    #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377

    #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380

    #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803

    #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751

    #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028

    #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288

    #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49

    #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000

    #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988

    #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774

    #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304

    #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630

    #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093

    #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942

    #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815

    #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892

    #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405

    #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445

    #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347

    #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

previously allocated by thread T10 here:

    #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)

    #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93

    #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231

    #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547

    #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398

    #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515

    #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600

    #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082

    #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718

    #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195

    #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065

    #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968

    #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657

    #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966

    #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290

    #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630

    #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093

    #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942

    #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815

    #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892

    #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405

    #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445

    #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347

    #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

Thread T10 created by T0 here:

    #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)

    #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079

    #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141

    #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203

    #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316

    #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974

    #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34

    #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy

Shadow bytes around the buggy address:

  0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd

  0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd

  0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

=>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==186631==ABORTING

240426 14:06:32 [ERROR] mysqld got signal 6 ;

Compiled with a recent version of GCC (I use GCC 12.3.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1