Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34003

ASAN: heap-use-after-free in memcpy from sql/protocol.cc on SELECT

Details

    Description

      INSTALL PLUGIN Spider SONAME 'ha_spider.so';
      		 
      CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
      		 
      CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
      		 
      INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
      		 
      CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
      		 
      SELECT * FROM t2 WHERE c=0;

      Leads to:

      11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)

      		 
      ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
      		 
      READ of size 1 at 0x60b0000274ea thread T12
      		 
          #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
      		 
          #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
      		 
          #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
      		 
          #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
      		 
          #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
      		 
          #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
      		 
          #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
      		 
          #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
      		 
          #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
      		 
          #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
      		 
          #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
      		 
          #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
      		 
          #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
      		 
          #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
      		 
          #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
      		 
          #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
      		 
          #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
      		 
          #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
      		 
          #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
      		 
          #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
      		 
          #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
      		 
          #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
      		 
          #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
      		 
          #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
      		 
          #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
      		 
      freed by thread T12 here:
      		 
          #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
      		 
          #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
      		 
          #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
      		 
          #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
      		 
          #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
      		 
          #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
      		 
          #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
      		 
          #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
      		 
          #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
      		 
          #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
      		 
          #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
      		 
          #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
      		 
          #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
      		 
          #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
      		 
          #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
      		 
          #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
      		 
          #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
      		 
          #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
      		 
          #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
      		 
          #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
      		 
          #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
      		 
          #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
      		 
       
      		 
      previously allocated by thread T12 here:
      		 
          #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
      		 
          #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
      		 
          #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
      		 
          #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
      		 
          #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
      		 
          #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
      		 
          #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
      		 
          #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
      		 
          #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
      		 
          #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
      		 
          #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
      		 
          #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
      		 
          #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
      		 
          #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
      		 
          #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
      		 
          #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
      		 
          #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
      		 
          #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
      		 
          #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
      		 
          #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
      		 
          #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
      		 
          #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
      		 
          #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
      		 
          #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
      		 
          #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
      		 
          #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
      		 
          #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
      		 
          #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
      		 
        0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      		 
        0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
      		 
        0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      		 
      =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
      		 
        0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==168604==ABORTING
      		 
      240426 14:06:32 [ERROR] mysqld got signal 6 ;

      And on debug to (differs: Protocol_text::store_str vs Protocol::store

      11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)

      		 
      ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
      		 
      READ of size 1 at 0x60b000034a0a thread T10
      		 
          #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
      		 
          #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
      		 
          #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
      		 
          #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
      		 
          #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
      		 
          #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
      		 
          #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
      		 
          #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
      		 
          #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
      		 
          #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
      		 
          #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
      		 
          #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
      		 
          #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
      		 
          #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
      		 
          #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
      		 
          #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
      		 
          #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
      		 
          #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
      		 
          #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
      		 
          #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
      		 
          #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
      		 
          #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
      		 
          #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
      		 
          #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
      		 
          #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
      		 
          #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      		 
       
      		 
      0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
      		 
      freed by thread T10 here:
      		 
          #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
      		 
          #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
      		 
          #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
      		 
          #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
      		 
          #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
      		 
          #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
      		 
          #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
      		 
          #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
      		 
          #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
      		 
          #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
      		 
          #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
      		 
          #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
      		 
          #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
      		 
          #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
      		 
          #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
      		 
          #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
      		 
          #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
      		 
          #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
      		 
          #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
      		 
          #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
      		 
          #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
      		 
          #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
      		 
          #22 0x14988048f189 in start_thread nptl/pthread_create.c:444
      		 
       
      		 
      previously allocated by thread T10 here:
      		 
          #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
      		 
          #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
      		 
          #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
      		 
          #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
      		 
          #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
      		 
          #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
      		 
          #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
      		 
          #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
      		 
          #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
      		 
          #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
      		 
          #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
      		 
          #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
      		 
          #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
      		 
          #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
      		 
          #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
      		 
          #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
      		 
          #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
      		 
          #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
      		 
          #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
      		 
          #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
      		 
          #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
      		 
          #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
      		 
          #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
      		 
          #23 0x14988048f189 in start_thread nptl/pthread_create.c:444
      		 
       
      		 
      Thread T10 created by T0 here:
      		 
          #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
      		 
          #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
      		 
          #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
      		 
          #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
      		 
          #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
      		 
          #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
      		 
          #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
      		 
          #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
      		 
        0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
      		 
        0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      		 
      =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==186631==ABORTING
      		 
      240426 14:06:32 [ERROR] mysqld got signal 6 ;

      Setup:

      Compiled with a recent version of GCC (I use GCC 12.3.0) and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

      Bug confirmed present in:
      MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)

      Attachments

        Issue Links

          duplicates

          Task - A task that needs to be done. MDEV-33742 do not create spider group by handler when all tables are constant

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Task - A task that needs to be done. MDEV-33742 do not create spider group by handler when all tables are constant

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-34076 Spider: heap-use-after-free in my_convert on SELECT

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar created issue -
            Roel Roel Van de Paar made changes -
            Field Original Value New Value
            Roel Roel Van de Paar added a comment - - edited

            This MTR testcase causes a core to be generated on UB+ASAN builds, AND it reproduces both issues mentioned above on opt/dbg in the error log.

            --source include/have_innodb.inc
            		 
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            		 
            --let $SOCKET= `SELECT @@global.socket`
            		 
            CREATE USER spider@localhost IDENTIFIED BY 'pwd';
            		 
            GRANT ALL ON test.* TO spider@localhost;
            		 
            eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET",DATABASE 'test',USER 'spider',PASSWORD 'pwd');
            		 
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            		 
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            		 
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            		 
            SET spider_same_server_link=1;
            		 
            --error 12720
            		 
            SELECT * FROM t2 WHERE c=0;

            The core generated shows the crash to happen in ASAN based upon the crash in mariadbd:

            11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)

            		 
            #10 0x000055aa00070702 in __sanitizer::Abort() ()
            		 
            #11 0x000055aa0007d681 in __sanitizer::Die() ()
            		 
            #12 0x000055aa0005acbe in __asan::ScopedInErrorReport::~ScopedInErrorReport() ()
            		 
            #13 0x000055aa0005a1b6 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
            		 
            #14 0x000055a9fffdaf99 in memcpy ()
            		 
            #15 0x000055aa0025ab90 in Protocol::net_store_data (length=1, from=0x60b0000190aa "1", this=0x62b00017a7a0)
            		 
                at /test/11.5_opt_san/sql/protocol.cc:61
            		 
            #16 Protocol::store_string_aux (this=0x62b00017a7a0, from=0x60b0000190aa "1", length=1, fromcs=<optimized out>, 
                tocs=<optimized out>) at /test/11.5_opt_san/sql/protocol.cc:1491
            		 
            #17 0x000055aa01e716bd in Protocol::store (cs=0x55aa0d5d33c0 <my_charset_bin>, length=1, from=0x60b0000190aa "1", 
                this=0x62b00017a7a0) at /test/11.5_opt_san/sql/protocol.h:157
            		 
            #18 Field_longstr::send (this=<optimized out>, protocol=0x62b00017a7a0) at /test/11.5_opt_san/sql/field.cc:7379
            		 
            #19 0x000055aa0024d352 in Protocol_text::store (this=0x62b00017a7a0, field=0x61900030d6a0)
            		 
                at /test/11.5_opt_san/sql/protocol.cc:1643

            The ASAN crash itself can perhaps be ignored.

            Roel Roel Van de Paar added a comment - - edited This MTR testcase causes a core to be generated on UB+ASAN builds, AND it reproduces both issues mentioned above on opt/dbg in the error log. --source include/have_innodb.inc INSTALL PLUGIN Spider SONAME 'ha_spider.so' ; --let $SOCKET= `SELECT @@global.socket` CREATE USER spider@localhost IDENTIFIED BY 'pwd' ; GRANT ALL ON test.* TO spider@localhost; eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET "$SOCKET" , DATABASE 'test' , USER 'spider' , PASSWORD 'pwd' ); CREATE TABLE t (c INT KEY ,c1 BLOB,c2 TEXT) ENGINE=InnoDB; INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0); CREATE TABLE t2 (c INT KEY ,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t"' ; SET spider_same_server_link=1; --error 12720 SELECT * FROM t2 WHERE c=0; The core generated shows the crash to happen in ASAN based upon the crash in mariadbd: 11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN) #10 0x000055aa00070702 in __sanitizer::Abort() () #11 0x000055aa0007d681 in __sanitizer::Die() () #12 0x000055aa0005acbe in __asan::ScopedInErrorReport::~ScopedInErrorReport() () #13 0x000055aa0005a1b6 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) () #14 0x000055a9fffdaf99 in memcpy () #15 0x000055aa0025ab90 in Protocol::net_store_data (length=1, from=0x60b0000190aa "1", this=0x62b00017a7a0) at /test/11.5_opt_san/sql/protocol.cc:61 #16 Protocol::store_string_aux (this=0x62b00017a7a0, from=0x60b0000190aa "1", length=1, fromcs=<optimized out>, tocs=<optimized out>) at /test/11.5_opt_san/sql/protocol.cc:1491 #17 0x000055aa01e716bd in Protocol::store (cs=0x55aa0d5d33c0 <my_charset_bin>, length=1, from=0x60b0000190aa "1", this=0x62b00017a7a0) at /test/11.5_opt_san/sql/protocol.h:157 #18 Field_longstr::send (this=<optimized out>, protocol=0x62b00017a7a0) at /test/11.5_opt_san/sql/field.cc:7379 #19 0x000055aa0024d352 in Protocol_text::store (this=0x62b00017a7a0, field=0x61900030d6a0) at /test/11.5_opt_san/sql/protocol.cc:1643 The ASAN crash itself can perhaps be ignored.
            Roel Roel Van de Paar made changes -
            Assignee Roel Van de Paar [ roel ] Yuchen Pei [ JIRAUSER52627 ]
            Roel Roel Van de Paar made changes -
            Fix Version/s 11.1 [ 28549 ]
            Fix Version/s 11.2 [ 28603 ]
            Fix Version/s 11.3 [ 28565 ]
            Fix Version/s 11.4 [ 29301 ]
            Fix Version/s 11.5 [ 29506 ]
            Affects Version/s 11.1 [ 28549 ]
            Affects Version/s 11.2 [ 28603 ]
            Affects Version/s 11.3 [ 28565 ]
            Affects Version/s 11.4 [ 29301 ]
            Labels memory_corruption ASAN memory_corruption regression-11.1
            Priority Major [ 3 ] Critical [ 2 ]
            Roel Roel Van de Paar made changes -
            Description {code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}             		{code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.3.3 (opt)
            Roel Roel Van de Paar made changes -
            Description {code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.3.3 (opt)             		{code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)
            Roel Roel Van de Paar made changes -
            Description {code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)             		{code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.3.3 (opt)
            Roel Roel Van de Paar added a comment -

            All UniqeID's/stacks seen across versions (11.1-11.5):

            ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store
            		 
            ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str
            		 
            ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store
            		 
            ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str

            Oddly, the issue does not reproduce at the CLI in 11.3.3 opt specifically/only, but does in MTR for the same version.

            Roel Roel Van de Paar added a comment - All UniqeID's/stacks seen across versions (11.1-11.5): ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store ASAN|heap-use-after-free|sql/protocol.cc|__interceptor_memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol::store ASAN|heap-use-after-free|sql/protocol.cc|memcpy|Protocol::net_store_data|Protocol::store_string_aux|Protocol_text::store_str Oddly, the issue does not reproduce at the CLI in 11.3.3 opt specifically/only, but does in MTR for the same version.
            Roel Roel Van de Paar made changes -
            Description {code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.3.3 (opt)             		{code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)
            Roel Roel Van de Paar made changes -
            Description {code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)             		{code:sql}
            INSTALL PLUGIN Spider SONAME 'ha_spider.so';
            CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD'');
            CREATE TABLE t (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=InnoDB;
            INSERT INTO t VALUES (0,1,0),(1,0,0),(2,0,0);
            CREATE TABLE t2 (c INT KEY,c1 BLOB,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';
            SELECT * FROM t2 WHERE c=0;
            {code}
            Leads to:
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Optimized, UBASAN)}
            ==168604==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000274ea at pc 0x558ace27bf7a bp 0x152ca02d7c30 sp 0x152ca02d73d8
            READ of size 1 at 0x60b0000274ea thread T12
                #0 0x558ace27bf79 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79)
                #1 0x558ace4fbb8f in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_opt_san/sql/protocol.cc:61
                #2 0x558ace4fbb8f in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_opt_san/sql/protocol.cc:1491
                #3 0x558ad01126bc in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_opt_san/sql/protocol.h:157
                #4 0x558ad01126bc in Field_longstr::send(Protocol*) /test/11.5_opt_san/sql/field.cc:7379
                #5 0x558ace4ee351 in Protocol_text::store(Field*) /test/11.5_opt_san/sql/protocol.cc:1643
                #6 0x558ace4f9271 in Protocol::send_result_set_row(List<Item>*) /test/11.5_opt_san/sql/protocol.cc:1359
                #7 0x558ace82115d in select_send::send_data(List<Item>&) /test/11.5_opt_san/sql/sql_class.cc:3189
                #8 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6090
                #9 0x558acf13d848 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_opt_san/sql/sql_class.h:6080
                #10 0x558acf13d848 in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:100
                #11 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #12 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #13 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #14 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #15 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #16 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #17 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #18 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #19 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #20 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #21 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #22 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #23 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444
                #24 0x152cc1f1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b0000274ea is located 74 bytes inside of 104-byte region [0x60b0000274a0,0x60b000027508)
            freed by thread T12 here:
                #0 0x558ace2f0aa0 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f71aa0)
                #1 0x152c9ee00010 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_opt_san/storage/spider/spd_malloc.cc:183
                #2 0x152c9ef1fb5f in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:377
                #3 0x152c9ef1fca4 in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:380
                #4 0x152c9ec8993a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2803
                #5 0x152c9ec8a5e2 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:2751
                #6 0x152c9f00ca6c in spider_prepare_init_scan /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1028
                #7 0x152c9f00ca6c in spider_group_by_handler::init_scan() /test/11.5_opt_san/storage/spider/spd_group_by_handler.cc:1288
                #8 0x558acf13c88f in Pushdown_query::execute(JOIN*) /test/11.5_opt_san/sql/group_by_handler.cc:49
                #9 0x558acf0200d5 in do_select /test/11.5_opt_san/sql/sql_select.cc:23000
                #10 0x558acf0200d5 in JOIN::exec_inner() /test/11.5_opt_san/sql/sql_select.cc:4988
                #11 0x558acf025f16 in JOIN::exec() /test/11.5_opt_san/sql/sql_select.cc:4774
                #12 0x558acf013a26 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5304
                #13 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #14 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #15 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #16 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #17 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #18 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #19 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #20 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #21 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T12 here:
                #0 0x558ace2f1f4f in malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7f72f4f)
                #1 0x558ad297a315 in my_malloc /test/11.5_opt_san/mysys/my_malloc.c:93
                #2 0x152c9ee00434 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_opt_san/storage/spider/spd_malloc.cc:231
                #3 0x152c9ef5db6d in spider_db_mbase_row::clone() /test/11.5_opt_san/storage/spider/spd_db_mysql.cc:547
                #4 0x152c9ec91ec9 in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_opt_san/storage/spider/spd_db_conn.cc:3398
                #5 0x152c9ee6f3fd in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/storage/spider/ha_spider.cc:1515
                #6 0x558ad0229c50 in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:7082
                #7 0x558ad0265657 in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_opt_san/sql/handler.cc:3718
                #8 0x558aceef9137 in join_read_const /test/11.5_opt_san/sql/sql_select.cc:24195
                #9 0x558aceefa168 in join_read_const_table /test/11.5_opt_san/sql/sql_select.cc:24065
                #10 0x558acefd8c06 in make_join_statistics /test/11.5_opt_san/sql/sql_select.cc:5968
                #11 0x558acf00c75c in JOIN::optimize_inner() /test/11.5_opt_san/sql/sql_select.cc:2657
                #12 0x558acf012e89 in JOIN::optimize() /test/11.5_opt_san/sql/sql_select.cc:1966
                #13 0x558acf01375a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_opt_san/sql/sql_select.cc:5290
                #14 0x558acf0176ca in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_opt_san/sql/sql_select.cc:630
                #15 0x558aceb7c8ae in execute_sqlcom_select /test/11.5_opt_san/sql/sql_parse.cc:6093
                #16 0x558acebe19bc in mysql_execute_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:3942
                #17 0x558acebf0aed in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_opt_san/sql/sql_parse.cc:7815
                #18 0x558acebfe519 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_opt_san/sql/sql_parse.cc:1892
                #19 0x558acec08ce3 in do_command(THD*, bool) /test/11.5_opt_san/sql/sql_parse.cc:1405
                #20 0x558acf59a887 in do_handle_one_connection(CONNECT*, bool) /test/11.5_opt_san/sql/sql_connect.cc:1445
                #21 0x558acf59d27c in handle_one_connection /test/11.5_opt_san/sql/sql_connect.cc:1347
                #22 0x152cc1e8f189 in start_thread nptl/pthread_create.c:444

            Thread T12 created by T0 here:
                #0 0x558ace27d5d5 in __interceptor_pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efe5d5)
                #1 0x558ace35159d in create_thread_to_handle_connection(CONNECT*) /test/11.5_opt_san/sql/mysqld.cc:6079
                #2 0x558ace3648cb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_opt_san/sql/mysqld.cc:6203
                #3 0x558ace36596f in handle_connections_sockets() /test/11.5_opt_san/sql/mysqld.cc:6316
                #4 0x558ace368b78 in mysqld_main(int, char**) /test/11.5_opt_san/sql/mysqld.cc:5974
                #5 0x152cc1e23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-opt/bin/mariadbd+0x7efcf79) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffce40: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
              0x0c167fffce50: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
              0x0c167fffce60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
              0x0c167fffce70: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
              0x0c167fffce80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
            =>0x0c167fffce90: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fd
              0x0c167fffcea0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffcee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==168604==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}
            And on debug to (differs: {{Protocol_text::store_str}} vs {{Protocol::store}}
            {noformat:title=11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug, UBASAN)}
            ==186631==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000034a0a at pc 0x555cd8d82a4a bp 0x14985edddb20 sp 0x14985eddd2c8
            READ of size 1 at 0x60b000034a0a thread T10
                #0 0x555cd8d82a49 in memcpy (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49)
                #1 0x555cd90234a4 in Protocol::net_store_data(unsigned char const*, unsigned long) /test/11.5_dbg_san/sql/protocol.cc:61
                #2 0x555cd9040999 in Protocol::store_string_aux(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1491
                #3 0x555cd9040cf9 in Protocol_text::store_str(char const*, unsigned long, charset_info_st const*, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.cc:1527
                #4 0x555cdae6a970 in Protocol::store(char const*, unsigned long, charset_info_st const*) /test/11.5_dbg_san/sql/protocol.h:157
                #5 0x555cdae6a970 in Field_longstr::send(Protocol*) /test/11.5_dbg_san/sql/field.cc:7379
                #6 0x555cd901fda2 in Protocol_text::store(Field*) /test/11.5_dbg_san/sql/protocol.cc:1643
                #7 0x555cdb06b3d4 in Item_field::send(Protocol*, st_value*) /test/11.5_dbg_san/sql/item.cc:7483
                #8 0x555cd903d2a0 in Protocol::send_result_set_row(List<Item>*) /test/11.5_dbg_san/sql/protocol.cc:1359
                #9 0x555cd9382f13 in select_send::send_data(List<Item>&) /test/11.5_dbg_san/sql/sql_class.cc:3189
                #10 0x555cd9d2ffbd in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.5_dbg_san/sql/sql_class.h:6090
                #11 0x555cd9d2ffbd in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:100
                #12 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #13 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #14 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #15 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #16 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #17 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #18 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #19 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #20 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #21 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #22 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #23 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #24 0x14988048f189 in start_thread nptl/pthread_create.c:444
                #25 0x14988051dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

            0x60b000034a0a is located 74 bytes inside of 104-byte region [0x60b0000349c0,0x60b000034a28)
            freed by thread T10 here:
                #0 0x555cd8df7570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
                #1 0x555cdd76632c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
                #2 0x14985d81f6d6 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
                #3 0x14985d98879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
                #4 0x14985d98889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
                #5 0x14985d6a7288 in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
                #6 0x14985d6a7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
                #7 0x14985da3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
                #8 0x14985da3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
                #9 0x555cd9d2e7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
                #10 0x555cd9b97052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
                #11 0x555cd9b97052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
                #12 0x555cd9b9a00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
                #13 0x555cd9b88138 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5304
                #14 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #15 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #16 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #17 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #18 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #19 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #20 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #21 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #22 0x14988048f189 in start_thread nptl/pthread_create.c:444

            previously allocated by thread T10 here:
                #0 0x555cd8df8a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
                #1 0x555cdd765fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
                #2 0x14985d81fb06 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
                #3 0x14985d993e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
                #4 0x14985d6b220a in spider_db_store_result(ha_spider*, int, TABLE*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
                #5 0x14985d893aac in ha_spider::index_read_map_internal(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
                #6 0x14985d895058 in ha_spider::index_read_map(unsigned char*, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
                #7 0x555cdafcf03b in handler::index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
                #8 0x555cdaffa73d in handler::ha_index_read_idx_map(unsigned char*, unsigned int, unsigned char const*, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
                #9 0x555cd9ac53fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
                #10 0x555cd9ac6297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
                #11 0x555cd9b47382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
                #12 0x555cd9b8559f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
                #13 0x555cd9b876a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
                #14 0x555cd9b87e42 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.5_dbg_san/sql/sql_select.cc:5290
                #15 0x555cd9b8c67d in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
                #16 0x555cd96fc467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
                #17 0x555cd9756dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
                #18 0x555cd977d1c5 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
                #19 0x555cd978d546 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
                #20 0x555cd979c387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
                #21 0x555cda1d454b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
                #22 0x555cda1d5af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
                #23 0x14988048f189 in start_thread nptl/pthread_create.c:444

            Thread T10 created by T0 here:
                #0 0x555cd8d840a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
                #1 0x555cd8e566f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
                #2 0x555cd8e682cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
                #3 0x555cd8e68ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
                #4 0x555cd8e69d56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
                #5 0x555cd8e6e73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
                #6 0x555cd8e43cbc in main /test/11.5_dbg_san/sql/main.cc:34
                #7 0x149880423a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

            SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e52a49) in memcpy
            Shadow bytes around the buggy address:
              0x0c167fffe8f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe900: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
              0x0c167fffe910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
              0x0c167fffe920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
              0x0c167fffe930: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
            =>0x0c167fffe940: fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
              0x0c167fffe990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable: 00
              Partially addressable: 01 02 03 04 05 06 07
              Heap left redzone: fa
              Freed heap region: fd
              Stack left redzone: f1
              Stack mid redzone: f2
              Stack right redzone: f3
              Stack after return: f5
              Stack use after scope: f8
              Global redzone: f9
              Global init order: f6
              Poisoned by user: f7
              Container overflow: fc
              Array cookie: ac
              Intra object redzone: bb
              ASan internal: fe
              Left alloca redzone: ca
              Right alloca redzone: cb
            ==186631==ABORTING
            240426 14:06:32 [ERROR] mysqld got signal 6 ;
            {noformat}

            Setup:
            {noformat}
            Compiled with a recent version of GCC (I use GCC 12.3.0) and:
                -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
            Set before execution:
                export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
            {noformat}

            Bug confirmed present in:
            MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

            Bug (or feature/syntax) confirmed not present in:
            MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)
            Roel Roel Van de Paar made changes -
            Labels ASAN memory_corruption regression-11.1 ASAN memory_corruption
            ycp Yuchen Pei added a comment - - edited

            looks like an 11.0-regression. passed on 10.11 22a69c782710b2bb53917603f5ecc8f6e0d0819a and failed on 11.0 e3ac7b803357cd0c798933419df99ce3081c0d81

            it's actually a bit more complicated than that. there's another commit af4df93cf855228f094f2a19f7dd0bdc005035cf that is an ancestor of 10.11 where the bug exists

            A "reverse bisect" shows that the following commit that has not yet propagated to 11.0 fixes the main test case

            f9e0ebeca49 * upstream/bb-10.4-mdev-33742 MDEV-33742 Do not create group by handler when all tables are constant

            It is not clear why, though, beyond the fact that the table is indeed const with the conditioning of the key c = 1. I tried a few adjacent testcases and they all pass. I think we can close this ticket as a duplicate of MDEV-33742.

            ycp Yuchen Pei added a comment - - edited looks like an 11.0-regression. passed on 10.11 22a69c782710b2bb53917603f5ecc8f6e0d0819a and failed on 11.0 e3ac7b803357cd0c798933419df99ce3081c0d81 it's actually a bit more complicated than that. there's another commit af4df93cf855228f094f2a19f7dd0bdc005035cf that is an ancestor of 10.11 where the bug exists A "reverse bisect" shows that the following commit that has not yet propagated to 11.0 fixes the main test case f9e0ebeca49 * upstream/bb-10.4-mdev-33742 MDEV-33742 Do not create group by handler when all tables are constant It is not clear why, though, beyond the fact that the table is indeed const with the conditioning of the key c = 1 . I tried a few adjacent testcases and they all pass. I think we can close this ticket as a duplicate of MDEV-33742 .
            Roel Roel Van de Paar made changes -
            Labels ASAN memory_corruption ASAN memory_corruption regression-11.0
            Roel Roel Van de Paar made changes -
            Affects Version/s 11.0 [ 28320 ]
            ycp Yuchen Pei made changes -
            Labels ASAN memory_corruption regression-11.0 ASAN memory_corruption
            ycp Yuchen Pei made changes -
            ycp Yuchen Pei made changes -
            Fix Version/s N/A [ 14700 ]
            Fix Version/s 11.1 [ 28549 ]
            Fix Version/s 11.3 [ 28565 ]
            Fix Version/s 11.2 [ 28603 ]
            Fix Version/s 11.4 [ 29301 ]
            Resolution Duplicate [ 3 ]
            Status Open [ 1 ] Closed [ 6 ]
            ycp Yuchen Pei made changes -
            ycp Yuchen Pei added a comment -

            Nevertheless, I pushed a commit to 10.4 that simply adds the testcase in this ticket to improve coverage. No reviews needed because it just adds a testcase.

            3f2a5b28c6c upstream/bb-10.4-mdev-34003 MDEV-34003 Add testcase spider/bugfix.mdev_34003

            ycp Yuchen Pei added a comment - Nevertheless, I pushed a commit to 10.4 that simply adds the testcase in this ticket to improve coverage. No reviews needed because it just adds a testcase. 3f2a5b28c6c upstream/bb-10.4-mdev-34003 MDEV-34003 Add testcase spider/bugfix.mdev_34003
            ycp Yuchen Pei made changes -
            Resolution Duplicate [ 3 ]
            Status Closed [ 6 ] Stalled [ 10000 ]
            ycp Yuchen Pei made changes -
            Fix Version/s 10.4.34 [ 29625 ]
            Fix Version/s N/A [ 14700 ]
            Resolution Fixed [ 1 ]
            Status Stalled [ 10000 ] Closed [ 6 ]
            JIraAutomate JiraAutomate made changes -
            Fix Version/s 10.5.25 [ 29626 ]
            Fix Version/s 10.6.18 [ 29627 ]
            Fix Version/s 10.11.8 [ 29630 ]
            Fix Version/s 11.0.6 [ 29628 ]
            Fix Version/s 11.1.5 [ 29629 ]
            Fix Version/s 11.2.4 [ 29631 ]
            Fix Version/s 11.4.2 [ 29633 ]
            Roel Roel Van de Paar made changes -

            People

              ycp Yuchen Pei
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.