Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39399

ASAN heap-use-after-free in sql/protocol.h, SIGSEGV in Protocol::valid_handler

    XMLWordPrintable

Details

    Description

      SET sql_mode='';
      		 
      CREATE TABLE t (c BIGINT,c2 REAL(1,1) ZEROFILL,c3 CHAR AS (c) VIRTUAL,KEY(c)) ROW_FORMAT=COMPACT;
      		 
      CREATE TRIGGER tr1 AFTER INSERT ON t FOR EACH ROW SHOW PROFILES;
      		 
      REPLACE INTO t VALUES (0,0,0) RETURNING c;

      Leads to:

      CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Debug, Clang 21.1.3-20250923) Build 10/04/2026

      		 
      Core was generated by `/test/MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005d0aaf811f35 in Protocol::valid_handler (this=0x6f4600001430, pos=0, type=PROTOCOL_SEND_LONGLONG) at /test/13.0_dbg/sql/protocol.h:51
      		 
       
      		 
      [Current thread is 1 (LWP 2574141)]
      		 
      (gdb) bt
      		 
      #0  0x00005d0aaf811f35 in Protocol::valid_handler (this=0x6f4600001430, pos=0, type=PROTOCOL_SEND_LONGLONG) at /test/13.0_dbg/sql/protocol.h:51
      		 
      #1  0x00005d0aaf80f2dd in Protocol_text::store_longlong (this=0x6f4600001430, from=0, unsigned_flag=false) at /test/13.0_dbg/sql/protocol.cc:1559
      		 
      #2  0x00005d0aaf5c7cf0 in Field_longlong::send (this=0x6f4600036728, protocol=0x6f4600001430) at /test/13.0_dbg/sql/field.cc:4824
      		 
      #3  0x00005d0aaf80e4a4 in Protocol_text::store (this=0x6f4600001430, field=0x6f4600036728) at /test/13.0_dbg/sql/protocol.cc:1615
      		 
      #4  0x00005d0aaf60f759 in Item_field::send (this=0x6f460001b948, protocol=0x6f4600001430, buffer=0x774748d21590)at /test/13.0_dbg/sql/item.cc:7959
      		 
      #5  0x00005d0aaf80e59c in Protocol::send_result_set_row (this=0x6f4600001430, row_items=0x6f4600005da8) at /test/13.0_dbg/sql/protocol.cc:1358
      		 
      #6  0x00005d0aaf8d9b5e in select_send::send_data (this=0x6f460001ba80, items=@0x6f4600005da8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6f460001ba70, last = 0x6f460001ba70, elements = 1}, <No data fields>})at /test/13.0_dbg/sql/sql_class.cc:3410
      		 
      #7  0x00005d0aaf9c7bf6 in Write_record::send_data (this=0x774748d21f30)at /test/13.0_dbg/sql/sql_insert.cc:2564
      		 
      #8  0x00005d0aaf9c7b8b in Write_record::after_insert (this=0x774748d21f30, inserted=0x774748d21a60) at /test/13.0_dbg/sql/sql_insert.cc:2542
      		 
      #9  0x00005d0aaf9bd7a8 in Write_record::replace_row (this=0x774748d21f30, inserted=0x774748d21a60, deleted=0x774748d21a58)at /test/13.0_dbg/sql/sql_insert.cc:2231
      		 
      #10 0x00005d0aaf9bc245 in Write_record::write_record (this=0x774748d21f30)at /test/13.0_dbg/sql/sql_insert.cc:2440
      		 
      #11 0x00005d0aaf9b99dd in mysql_insert (thd=0x6f4600000d58, table_list=0x6f460001a210, fields=@0x6f4600006218: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5d0ab0aeef70 <end_of_list>, last = 0x6f4600006218, elements = 0}, <No data fields>}, values_list=@0x6f4600006260: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x6f460001b030, last = 0x6f460001b030, elements = 1}, <No data fields>}, update_fields=@0x6f4600006248: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5d0ab0aeef70 <end_of_list>, last = 0x6f4600006248, elements = 0}, <No data fields>}, update_values=@0x6f4600006230: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5d0ab0aeef70 <end_of_list>, last = 0x6f4600006230, elements = 0}, <No data fields>}, duplic=DUP_REPLACE, ignore=false, result=0x6f460001ba80)at /test/13.0_dbg/sql/sql_insert.cc:1233
      		 
      #12 0x00005d0aafa1fb9e in mysql_execute_command (thd=0x6f4600000d58, is_called_from_prepared_stmt=false) at /test/13.0_dbg/sql/sql_parse.cc:4500
      		 
      #13 0x00005d0aafa169c8 in mysql_parse (thd=0x6f4600000d58, rawbuf=0x6f460001a110 "REPLACE INTO t VALUES (0,0,0) RETURNING c", length=41, parser_state=0x774748d239f0)at /test/13.0_dbg/sql/sql_parse.cc:7941
      		 
      #14 0x00005d0aafa1411e in dispatch_command (command=COM_QUERY, thd=0x6f4600000d58, packet=0x6f460000b4b9 "", packet_length=41, blocking=true) at /test/13.0_dbg/sql/sql_parse.cc:1898
      		 
      #15 0x00005d0aafa1744a in do_command (thd=0x6f4600000d58, blocking=true)at /test/13.0_dbg/sql/sql_parse.cc:1432
      		 
      #16 0x00005d0aafc1a70e in do_handle_one_connection (connect=0x5d0ab3860c68, put_in_cache=true) at /test/13.0_dbg/sql/sql_connect.cc:1503
      		 
      #17 0x00005d0aafc1a4f1 in handle_one_connection (arg=0x5d0ab37d1b78)at /test/13.0_dbg/sql/sql_connect.cc:1415
      		 
      #18 0x000077474a49ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #19 0x000077474a529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  10.6   opt  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  No bug found                  
      CS  10.11  dbg  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  10.11  opt  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  No bug found                  
      CS  11.4   dbg  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  11.4   opt  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  No bug found                  
      CS  11.8   dbg  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  11.8   opt  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  No bug found                  
      CS  12.2   dbg  100426  d26a6f44c1f2119377e79a9540886c6d8c01472f  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  12.2   opt  100426  d26a6f44c1f2119377e79a9540886c6d8c01472f  No bug found                  
      CS  12.3   dbg  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  12.3   opt  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  No bug found                  
      CS  13.0   dbg  100426  3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      CS  13.0   opt  100426  3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23  No bug found                  
      ES  10.6   dbg  100426  84a80c8b38208d362225496da08d86d8d454e453  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      ES  10.6   opt  100426  84a80c8b38208d362225496da08d86d8d454e453  No bug found                  
      ES  11.4   dbg  100426  8b2bf17b733262409422ce7d039a0c021fc47077  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      ES  11.4   opt  100426  8b2bf17b733262409422ce7d039a0c021fc47077  No bug found                  
      ES  11.8   dbg  100426  854cae81f52e477c7777a51db26ba640d8755b81  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      ES  11.8   opt  100426  854cae81f52e477c7777a51db26ba640d8755b81  No bug found                  
      ES  12.3   dbg  220426  613a6253fe9efc12e166f83a97663ba263db8317  SIGSEGV|Protocol::valid_handler|Protocol_text::store_longlong|Field_longlong::send|Protocol_text::store
      		 
      ES  12.3   opt  220426  613a6253fe9efc12e166f83a97663ba263db8317  No bug found

      CS 13.0.1 3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23 (Debug, UBASAN, Clang 21.1.3-20250923) Build 10/04/2026

      		 
      ==2424454==ERROR: AddressSanitizer: heap-use-after-free on address 0x706c8b11a3c0 at pc 0x56a81b9d12dc bp 0x661b724ffe30 sp 0x661b724ffe28
      		 
      READ of size 8 at 0x706c8b11a3c0 thread T15
      		 
          #0 0x56a81b9d12db in Protocol::valid_handler(unsigned int, protocol_send_type_t) const /test/13.0_dbg_san/sql/protocol.h:51:12
      		 
          #1 0x56a81b9d12db in Protocol_text::store_longlong(long long, bool) /test/13.0_dbg_san/sql/protocol.cc:1559:3
      		 
          #2 0x56a81b9cdd97 in Protocol_text::store(Field*) /test/13.0_dbg_san/sql/protocol.cc:1615:19
      		 
          #3 0x56a81b9ce408 in Protocol::send_result_set_row(List<Item>*) /test/13.0_dbg_san/sql/protocol.cc:1358:15
      		 
          #4 0x56a81bc99328 in select_send::send_data(List<Item>&) /test/13.0_dbg_san/sql/sql_class.cc:3410:17
      		 
          #5 0x56a81bfe9032 in Write_record::send_data() /test/13.0_dbg_san/sql/sql_insert.cc:2564:23
      		 
          #6 0x56a81bfe8d82 in Write_record::after_insert(unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2542:29
      		 
          #7 0x56a81bfb62f4 in Write_record::replace_row(unsigned long long*, unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2231:10
      		 
          #8 0x56a81bfad766 in Write_record::write_record() /test/13.0_dbg_san/sql/sql_insert.cc:2440:10
      		 
          #9 0x56a81bf9f9e0 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/13.0_dbg_san/sql/sql_insert.cc:1233:22
      		 
          #10 0x56a81c11a909 in mysql_execute_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:4500:10
      		 
          #11 0x56a81c0f021d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_dbg_san/sql/sql_parse.cc:7941:18
      		 
          #12 0x56a81c0e7fee in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #13 0x56a81c0f25c4 in do_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1432:17
      		 
          #14 0x56a81c92a84c in do_handle_one_connection(CONNECT*, bool) /test/13.0_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #15 0x56a81c92a355 in handle_one_connection /test/13.0_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #16 0x56a81afe86ca in asan_thread_start(void*) crtstuff.c
      		 
          #17 0x721c8c29ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #18 0x721c8c329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x706c8b11a3c0 is located 704 bytes inside of 8184-byte region [0x706c8b11a100,0x706c8b11c0f8)
      		 
      freed by thread T15 here:
      		 
          #0 0x56a81afeabaa in free (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x4139baa) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
      		 
          #1 0x56a81e2a1327 in root_free /test/13.0_dbg_san/mysys/my_alloc.c:77:5
      		 
          #2 0x56a81e2a1327 in free_root /test/13.0_dbg_san/mysys/my_alloc.c:517:7
      		 
          #3 0x56a81ba95555 in sp_head::execute(THD*, bool) /test/13.0_dbg_san/sql/sp_head.cc:1386:5
      		 
          #4 0x56a81ba9b5f0 in sp_head::execute_trigger(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_grant_info*) /test/13.0_dbg_san/sql/sp_head.cc:1805:3
      		 
          #5 0x56a81c6a221a in Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool, bool*, List<Item>*) /test/13.0_dbg_san/sql/sql_trigger.cc:2848:22
      		 
          #6 0x56a81bfe8d76 in Write_record::after_ins_trg() /test/13.0_dbg_san/sql/sql_insert.cc:2550:27
      		 
          #7 0x56a81bfe8d76 in Write_record::after_insert(unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2542:10
      		 
          #8 0x56a81bfb62f4 in Write_record::replace_row(unsigned long long*, unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2231:10
      		 
          #9 0x56a81bfad766 in Write_record::write_record() /test/13.0_dbg_san/sql/sql_insert.cc:2440:10
      		 
          #10 0x56a81bf9f9e0 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/13.0_dbg_san/sql/sql_insert.cc:1233:22
      		 
          #11 0x56a81c11a909 in mysql_execute_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:4500:10
      		 
          #12 0x56a81c0f021d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_dbg_san/sql/sql_parse.cc:7941:18
      		 
          #13 0x56a81c0e7fee in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #14 0x56a81c0f25c4 in do_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1432:17
      		 
          #15 0x56a81c92a84c in do_handle_one_connection(CONNECT*, bool) /test/13.0_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #16 0x56a81c92a355 in handle_one_connection /test/13.0_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #17 0x56a81afe86ca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T15 here:
      		 
          #0 0x56a81afeae48 in malloc (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x4139e48) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
      		 
          #1 0x56a81e2ed196 in my_malloc /test/13.0_dbg_san/mysys/my_malloc.c:93:29
      		 
          #2 0x56a81e29f063 in alloc_root /test/13.0_dbg_san/mysys/my_alloc.c:336:29
      		 
          #3 0x56a81c0f6dc5 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) const /test/13.0_dbg_san/sql/sql_class.h:1388:9
      		 
          #4 0x56a81c0f6dc5 in alloc_query(THD*, char const*, unsigned long) /test/13.0_dbg_san/sql/sql_parse.cc:2775:30
      		 
          #5 0x56a81cc583bd in sp_instr_stmt::execute(THD*, unsigned int*) /test/13.0_dbg_san/sql/sp_instr.cc:1158:14
      		 
          #6 0x56a81ba942ac in sp_head::execute(THD*, bool) /test/13.0_dbg_san/sql/sp_head.cc:1292:20
      		 
          #7 0x56a81ba9b5f0 in sp_head::execute_trigger(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_grant_info*) /test/13.0_dbg_san/sql/sp_head.cc:1805:3
      		 
          #8 0x56a81c6a221a in Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool, bool*, List<Item>*) /test/13.0_dbg_san/sql/sql_trigger.cc:2848:22
      		 
          #9 0x56a81bfe8d76 in Write_record::after_ins_trg() /test/13.0_dbg_san/sql/sql_insert.cc:2550:27
      		 
          #10 0x56a81bfe8d76 in Write_record::after_insert(unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2542:10
      		 
          #11 0x56a81bfb62f4 in Write_record::replace_row(unsigned long long*, unsigned long long*) /test/13.0_dbg_san/sql/sql_insert.cc:2231:10
      		 
          #12 0x56a81bfad766 in Write_record::write_record() /test/13.0_dbg_san/sql/sql_insert.cc:2440:10
      		 
          #13 0x56a81bf9f9e0 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/13.0_dbg_san/sql/sql_insert.cc:1233:22
      		 
          #14 0x56a81c11a909 in mysql_execute_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:4500:10
      		 
          #15 0x56a81c0f021d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/13.0_dbg_san/sql/sql_parse.cc:7941:18
      		 
          #16 0x56a81c0e7fee in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1898:7
      		 
          #17 0x56a81c0f25c4 in do_command(THD*, bool) /test/13.0_dbg_san/sql/sql_parse.cc:1432:17
      		 
          #18 0x56a81c92a84c in do_handle_one_connection(CONNECT*, bool) /test/13.0_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #19 0x56a81c92a355 in handle_one_connection /test/13.0_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #20 0x56a81afe86ca in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T15 created by T0 here:
      		 
          #0 0x56a81afcedc5 in pthread_create (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x411ddc5) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
      		 
          #1 0x56a81b043eac in create_thread_to_handle_connection(CONNECT*) /test/13.0_dbg_san/sql/mysqld.cc:6466:19
      		 
          #2 0x56a81b044f35 in handle_connections_sockets() /test/13.0_dbg_san/sql/mysqld.cc:6702:9
      		 
          #3 0x56a81b04347a in run_main_loop() /test/13.0_dbg_san/sql/mysqld.cc:5942:3
      		 
          #4 0x56a81b03789c in mysqld_main(int, char**) /test/13.0_dbg_san/sql/mysqld.cc:6371:3
      		 
          #5 0x721c8c22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x721c8c22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x56a81af456d4 in _start (/test/UBASAN_MD100426-mariadb-13.0.1-linux-x86_64-dbg/bin/mariadbd+0x40946d4) (BuildId: 57d40479ece88ee21294f041e3ea8c6902999338)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/13.0_dbg_san/sql/protocol.h:51:12 in Protocol::valid_handler(unsigned int, protocol_send_type_t) const
      		 
      Shadow bytes around the buggy address:
      		 
        0x706c8b11a100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x706c8b11a380: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
      		 
        0x706c8b11a400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x706c8b11a600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2424454==ABORTING

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  10.6   opt  100426  f39b634db715cd9dc1835653d1ce544df2aa1613  No bug found                  
      CS  10.11  dbg  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  10.11  opt  100426  ba774a0a90fac0163babe9d7a964aa36503e1711  No bug found                  
      CS  11.4   dbg  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  11.4   opt  100426  dc89915ad9bf3dcb67e66d2844c77ec0403373de  No bug found                  
      CS  11.8   dbg  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  11.8   opt  100426  e47db94aea7f0d6e0177e948486fc8860331f05f  No bug found                  
      CS  12.2   dbg  100426  d26a6f44c1f2119377e79a9540886c6d8c01472f  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  12.2   opt  100426  d26a6f44c1f2119377e79a9540886c6d8c01472f  No bug found                  
      CS  12.3   dbg  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  12.3   opt  100426  f5bb9922107672e88f7b5cbdb3d25151cc5744bb  No bug found                  
      CS  13.0   dbg  100426  3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      CS  13.0   opt  100426  3a2f8e27981b76b99d2b87cc3bcec5ef022b2b23  No bug found                  
      ES  10.6   dbg  100426  84a80c8b38208d362225496da08d86d8d454e453  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      ES  10.6   opt  100426  84a80c8b38208d362225496da08d86d8d454e453  No bug found                  
      ES  11.4   dbg  100426  8b2bf17b733262409422ce7d039a0c021fc47077  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      ES  11.4   opt  100426  8b2bf17b733262409422ce7d039a0c021fc47077  No bug found                  
      ES  11.8   dbg  100426  854cae81f52e477c7777a51db26ba640d8755b81  ASAN|heap-use-after-free|sql/protocol.h|Protocol::valid_handler|Protocol_text::store_longlong|Protocol_text::store|Protocol::send_result_set_row
      		 
      ES  11.8   opt  100426  854cae81f52e477c7777a51db26ba640d8755b81  No bug found

      Testcase is MTR and CLI compatible. Happens at least with MyISAM and InnoDB.

      Attachments

        Activity

          People

            shulga Dmitry Shulga
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.