heap-use-after-free in Prepared_statement::execute()

delimiter |;

--disable_warnings

create procedure p0()

begin

  prepare stmt from "drop procedure p0";

  execute stmt;

end|

call p0()|

SUMMARY: AddressSanitizer: heap-use-after-free /src/mariadb/sql/sql_prepare.cc:5428 in Prepared_statement::execute(String*, bool, select_result*, Server_side_cursor**)

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44

#1  __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:89

#2  __GI___pthread_kill (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:100

#3  0x00005d2f679ef539 in my_write_core (sig=6) at /src/mariadb/mysys/stacktrace.c:424

#4  0x00005d2f64414c19 in handle_fatal_signal (sig=6) at /src/mariadb/sql/signal_handler.cc:298

#5  <signal handler called>

#6  __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44

#7  __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:89

#8  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:100

#9  0x00007fe1edc45e2e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26

#10 0x00007fe1edc28888 in __GI_abort () at ./stdlib/abort.c:77

#11 0x00007fe1ef63b7d9 in __sanitizer::Abort () at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:163

#12 0x00007fe1ef7585ad in __sanitizer::Die () at ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:58

#13 0x00007fe1ef72e6ce in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0x7be1dccf36c6) at ../../../../src/libsanitizer/asan/asan_report.cpp:193

#14 0x00007fe1ef72dbae in __asan::ReportGenericError (pc=102458096577066, bp=136210002428736, sp=sp@entry=136210002428720, addr=138752894957880, is_write=is_write@entry=false, access_size=8, fatal=true, exp=<optimized out>) at ../../../../src/libsanitizer/asan/asan_report.cpp:508

#15 0x00007fe1ef72dd18 in __asan::ReportGenericError (pc=<optimized out>, bp=bp@entry=136210002428736, sp=sp@entry=136210002428720, addr=<optimized out>, is_write=is_write@entry=false, access_size=access_size@entry=8, exp=<optimized out>, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:508

#16 0x00007fe1ef72f139 in __asan::__asan_report_load8 (addr=<optimized out>) at ../../../../src/libsanitizer/asan/asan_rtl.cpp:131

#17 0x00005d2f62736a2a in Prepared_statement::execute (this=0x7d71ece3a098, expanded_query=0x7be1dba066e0, open_cursor=false, result_arg=0x7d71ece3a1e8, cursor_arg=0x7d71ece3a258) at /src/mariadb/sql/sql_prepare.cc:5428

#18 0x00005d2f6271b94f in Prepared_statement::execute_loop (this=0x7d71ece3a098, expanded_query=0x7be1dba066e0, open_cursor=false, result_arg=0x7d71ece3a1e8, cursor_arg=0x7d71ece3a258, instrs_set_placeholder=..., packet=0x0, packet_end=0x0) at /src/mariadb/sql/sql_prepare.cc:4703

#19 0x00005d2f626fa854 in mysql_sql_stmt_execute (thd=0x7ea1ece90218, name=..., cmd=0x5d2f6884aae0 "EXECUTE", open_dynamic_cursor=false, result_arg=0x0, cursor_arg=0x0) at /src/mariadb/sql/sql_prepare.cc:3635

#20 0x00005d2f626faffe in mysql_sql_stmt_execute (thd=0x7ea1ece90218) at /src/mariadb/sql/sql_prepare.cc:3649

#21 0x00005d2f6255e67f in mysql_execute_command (thd=0x7ea1ece90218, is_called_from_prepared_stmt=false) at /src/mariadb/sql/sql_parse.cc:4003

#22 0x00005d2f63945818 in sp_instr_stmt::exec_core (this=0x7e31ed03bfd8, thd=0x7ea1ece90218, nextp=0x7be1dbc54030) at /src/mariadb/sql/sp_instr.cc:1269

#23 0x00005d2f63931972 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7e31ed03c018, thd=0x7ea1ece90218, nextp=0x7be1dbc54030, open_tables=false, instr=0x7e31ed03bfd8, rerun_the_same_instr=false) at /src/mariadb/sql/sp_instr.cc:420

#24 0x00005d2f63935ce3 in sp_lex_keeper::validate_lex_and_exec_core (this=0x7e31ed03c018, thd=0x7ea1ece90218, nextp=0x7be1dbc54030, open_tables=false, instr=0x7e31ed03bfd8) at /src/mariadb/sql/sp_instr.cc:599

#25 0x00005d2f639432b3 in sp_instr_stmt::execute (this=0x7e31ed03bfd8, thd=0x7ea1ece90218, nextp=0x7be1dbc54030) at /src/mariadb/sql/sp_instr.cc:1171

#26 0x00005d2f61d49edd in sp_head::execute (this=0x7e31ed03a9b8, thd=0x7ea1ece90218, merge_da_on_success=true) at /src/mariadb/sql/sp_head.cc:1292

#27 0x00005d2f61d61944 in sp_head::execute_procedure (this=0x7e31ed03a9b8, thd=0x7ea1ece90218, args=0x7ea1ece95900) at /src/mariadb/sql/sp_head.cc:2329

#28 0x00005d2f625452cf in do_execute_sp (thd=0x7ea1ece90218, sp=0x7e31ed03a9b8) at /src/mariadb/sql/sql_parse.cc:3077

#29 0x00005d2f6254c7e5 in Sql_cmd_call::execute (this=0x7eb1ecee46f0, thd=0x7ea1ece90218) at /src/mariadb/sql/sql_parse.cc:3315

#30 0x00005d2f62586f11 in mysql_execute_command (thd=0x7ea1ece90218, is_called_from_prepared_stmt=false) at /src/mariadb/sql/sql_parse.cc:5901

#31 0x00005d2f625afbfe in mysql_parse (thd=0x7ea1ece90218, rawbuf=0x7eb1ecee4438 "call p0()", length=9, parser_state=0x7be1dbedb180) at /src/mariadb/sql/sql_parse.cc:7940

#32 0x00005d2f6252b04c in dispatch_command (command=COM_QUERY, thd=0x7ea1ece90218, packet=0x7e71ed092219 "call p0()", packet_length=9, blocking=true) at /src/mariadb/sql/sql_parse.cc:1896

#33 0x00005d2f6251f0ab in do_command (thd=0x7ea1ece90218, blocking=true) at /src/mariadb/sql/sql_parse.cc:1432

#34 0x00005d2f632fd5fb in do_handle_one_connection (connect=0x7c61ecde45b8, put_in_cache=true) at /src/mariadb/sql/sql_connect.cc:1503

#35 0x00005d2f632fc68a in handle_one_connection (arg=0x7c61ecde4538) at /src/mariadb/sql/sql_connect.cc:1415

#36 0x00005d2f65cd4f71 in pfs_spawn_thread (arg=0x7d51ecde8918) at /src/mariadb/storage/perfschema/pfs.cc:2198

#37 0x00007fe1ef65f803 in asan_thread_start (arg=0x7be1dccfb000) at ../../../../src/libsanitizer/asan/asan_interceptors.cpp:239

#38 0x00007fe1edca3d64 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:448

#39 0x00007fe1edd373fc in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78