================================================================= ==431==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900022b2a0 at pc 0x7f710117cf50 bp 0x7f70dd427790 sp 0x7f70dd426f38 READ of size 5 at 0x62900022b2a0 thread T11 #0 0x7f710117cf4f in __interceptor_memmove ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773 #1 0x55e874f00f5f in Binary_string::copy(Binary_string const&) /home/mysql/mariadb/sql/sql_string.cc:250 #2 0x55e874936977 in String::copy(String const&) /home/mysql/mariadb/sql/sql_string.h:885 #3 0x55e8755effcc in Item_cache_str::cache_value() /home/mysql/mariadb/sql/item.cc:10489 #4 0x55e875619cdf in Item_in_optimizer::val_int() /home/mysql/mariadb/sql/item_cmpfunc.cc:1563 #5 0x55e8748acfdd in Item::val_int_result() /home/mysql/mariadb/sql/item.h:1779 #6 0x55e8755ec067 in Item_cache_int::cache_value() /home/mysql/mariadb/sql/item.cc:10125 #7 0x55e875601b7c in Item_cache_wrapper::cache() /home/mysql/mariadb/sql/item.cc:8881 #8 0x55e8755e32cb in Item_cache_wrapper::val_bool() /home/mysql/mariadb/sql/item.cc:9067 #9 0x55e87563dbf9 in Item_cond_or::val_int() /home/mysql/mariadb/sql/item_cmpfunc.cc:5448 #10 0x55e874dee5b2 in evaluate_join_record /home/mysql/mariadb/sql/sql_select.cc:21861 #11 0x55e874dedeee in sub_select(JOIN*, st_join_table*, bool) /home/mysql/mariadb/sql/sql_select.cc:21802 #12 0x55e874deb88f in do_select /home/mysql/mariadb/sql/sql_select.cc:21308 #13 0x55e874d73cf5 in JOIN::exec_inner() /home/mysql/mariadb/sql/sql_select.cc:4812 #14 0x55e874d711f5 in JOIN::exec() /home/mysql/mariadb/sql/sql_select.cc:4590 #15 0x55e874d75764 in mysql_select(THD*, TABLE_LIST*, List&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/mysql/mariadb/sql/sql_select.cc:5070 #16 0x55e874d45586 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/mysql/mariadb/sql/sql_select.cc:581 #17 0x55e874c6949b in execute_sqlcom_select /home/mysql/mariadb/sql/sql_parse.cc:6261 #18 0x55e874c57eca in mysql_execute_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:3945 #19 0x55e874c74698 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/mysql/mariadb/sql/sql_parse.cc:8035 #20 0x55e874c4a772 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/mysql/mariadb/sql/sql_parse.cc:1894 #21 0x55e874c474f8 in do_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:1407 #22 0x55e87510112f in do_handle_one_connection(CONNECT*, bool) /home/mysql/mariadb/sql/sql_connect.cc:1418 #23 0x55e8751009bb in handle_one_connection /home/mysql/mariadb/sql/sql_connect.cc:1312 #24 0x55e875d31429 in pfs_spawn_thread /home/mysql/mariadb/storage/perfschema/pfs.cc:2201 #25 0x7f7100bae608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) #26 0x7f710077f132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132) 0x62900022b2a0 is located 160 bytes inside of 16536-byte region [0x62900022b200,0x62900022f298) freed by thread T11 here: #0 0x7f71011e940f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122 #1 0x55e875f8e1cf in ut_allocator::deallocate(unsigned char*, unsigned long) /home/mysql/mariadb/storage/innobase/include/ut0new.h:424 #2 0x55e876173049 in mem_heap_block_free(mem_block_info_t*, mem_block_info_t*) /home/mysql/mariadb/storage/innobase/mem/mem0mem.cc:416 #3 0x55e8762ebb8b in mem_heap_free /home/mysql/mariadb/storage/innobase/include/mem0mem.inl:419 #4 0x55e8762ee534 in row_mysql_prebuilt_free_blob_heap(row_prebuilt_t*) /home/mysql/mariadb/storage/innobase/row/row0mysql.cc:101 #5 0x55e876367209 in row_sel_store_mysql_rec /home/mysql/mariadb/storage/innobase/row/row0sel.cc:3122 #6 0x55e8763779f9 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/mysql/mariadb/storage/innobase/row/row0sel.cc:5678 #7 0x55e875f390f4 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /home/mysql/mariadb/storage/innobase/handler/ha_innodb.cc:9262 #8 0x55e875f39fd9 in ha_innobase::rnd_next(unsigned char*) /home/mysql/mariadb/storage/innobase/handler/ha_innodb.cc:9459 #9 0x55e875559979 in handler::ha_rnd_next(unsigned char*) /home/mysql/mariadb/sql/handler.cc:3415 #10 0x55e874974e49 in rr_sequential(READ_RECORD*) /home/mysql/mariadb/sql/records.cc:519 #11 0x55e874940c27 in READ_RECORD::read_record() /home/mysql/mariadb/sql/records.h:81 #12 0x55e874dedb05 in sub_select(JOIN*, st_join_table*, bool) /home/mysql/mariadb/sql/sql_select.cc:21782 #13 0x55e874deb88f in do_select /home/mysql/mariadb/sql/sql_select.cc:21308 #14 0x55e874d73cf5 in JOIN::exec_inner() /home/mysql/mariadb/sql/sql_select.cc:4812 #15 0x55e874d711f5 in JOIN::exec() /home/mysql/mariadb/sql/sql_select.cc:4590 #16 0x55e874d75764 in mysql_select(THD*, TABLE_LIST*, List&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/mysql/mariadb/sql/sql_select.cc:5070 #17 0x55e874d45586 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/mysql/mariadb/sql/sql_select.cc:581 #18 0x55e874c6949b in execute_sqlcom_select /home/mysql/mariadb/sql/sql_parse.cc:6261 #19 0x55e874c57eca in mysql_execute_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:3945 #20 0x55e874c74698 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/mysql/mariadb/sql/sql_parse.cc:8035 #21 0x55e874c4a772 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/mysql/mariadb/sql/sql_parse.cc:1894 #22 0x55e874c474f8 in do_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:1407 #23 0x55e87510112f in do_handle_one_connection(CONNECT*, bool) /home/mysql/mariadb/sql/sql_connect.cc:1418 #24 0x55e8751009bb in handle_one_connection /home/mysql/mariadb/sql/sql_connect.cc:1312 #25 0x55e875d31429 in pfs_spawn_thread /home/mysql/mariadb/storage/perfschema/pfs.cc:2201 #26 0x7f7100bae608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) previously allocated by thread T11 here: #0 0x7f71011e9808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144 #1 0x55e875f8dcba in ut_allocator::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /home/mysql/mariadb/storage/innobase/include/ut0new.h:375 #2 0x55e8761722ed in mem_heap_create_block_func(mem_block_info_t*, unsigned long, char const*, unsigned int, unsigned long) /home/mysql/mariadb/storage/innobase/mem/mem0mem.cc:277 #3 0x55e876350638 in mem_heap_create_func /home/mysql/mariadb/storage/innobase/include/mem0mem.inl:377 #4 0x55e876366acf in row_sel_store_mysql_field /home/mysql/mariadb/storage/innobase/row/row0sel.cc:3063 #5 0x55e876367bea in row_sel_store_mysql_rec /home/mysql/mariadb/storage/innobase/row/row0sel.cc:3209 #6 0x55e8763779f9 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /home/mysql/mariadb/storage/innobase/row/row0sel.cc:5678 #7 0x55e875f390f4 in ha_innobase::general_fetch(unsigned char*, unsigned int, unsigned int) /home/mysql/mariadb/storage/innobase/handler/ha_innodb.cc:9262 #8 0x55e875f39fd9 in ha_innobase::rnd_next(unsigned char*) /home/mysql/mariadb/storage/innobase/handler/ha_innodb.cc:9459 #9 0x55e875559979 in handler::ha_rnd_next(unsigned char*) /home/mysql/mariadb/sql/handler.cc:3415 #10 0x55e874974e49 in rr_sequential(READ_RECORD*) /home/mysql/mariadb/sql/records.cc:519 #11 0x55e874940c27 in READ_RECORD::read_record() /home/mysql/mariadb/sql/records.h:81 #12 0x55e874dedb05 in sub_select(JOIN*, st_join_table*, bool) /home/mysql/mariadb/sql/sql_select.cc:21782 #13 0x55e874deb88f in do_select /home/mysql/mariadb/sql/sql_select.cc:21308 #14 0x55e874d73cf5 in JOIN::exec_inner() /home/mysql/mariadb/sql/sql_select.cc:4812 #15 0x55e874d711f5 in JOIN::exec() /home/mysql/mariadb/sql/sql_select.cc:4590 #16 0x55e874d75764 in mysql_select(THD*, TABLE_LIST*, List&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/mysql/mariadb/sql/sql_select.cc:5070 #17 0x55e874d45586 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/mysql/mariadb/sql/sql_select.cc:581 #18 0x55e874c6949b in execute_sqlcom_select /home/mysql/mariadb/sql/sql_parse.cc:6261 #19 0x55e874c57eca in mysql_execute_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:3945 #20 0x55e874c74698 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/mysql/mariadb/sql/sql_parse.cc:8035 #21 0x55e874c4a772 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/mysql/mariadb/sql/sql_parse.cc:1894 #22 0x55e874c474f8 in do_command(THD*, bool) /home/mysql/mariadb/sql/sql_parse.cc:1407 #23 0x55e87510112f in do_handle_one_connection(CONNECT*, bool) /home/mysql/mariadb/sql/sql_connect.cc:1418 #24 0x55e8751009bb in handle_one_connection /home/mysql/mariadb/sql/sql_connect.cc:1312 #25 0x55e875d31429 in pfs_spawn_thread /home/mysql/mariadb/storage/perfschema/pfs.cc:2201 #26 0x7f7100bae608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) Thread T11 created by T0 here: #0 0x7f7101116815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x55e875d2d006 in my_thread_create /home/mysql/mariadb/storage/perfschema/my_thread.h:52 #2 0x55e875d3181c in pfs_spawn_thread_v1 /home/mysql/mariadb/storage/perfschema/pfs.cc:2252 #3 0x55e874882d48 in inline_mysql_thread_create /home/mysql/mariadb/include/mysql/psi/mysql_thread.h:1139 #4 0x55e87489ae17 in create_thread_to_handle_connection(CONNECT*) /home/mysql/mariadb/sql/mysqld.cc:6018 #5 0x55e87489b493 in create_new_thread(CONNECT*) /home/mysql/mariadb/sql/mysqld.cc:6077 #6 0x55e87489b800 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/mysql/mariadb/sql/mysqld.cc:6139 #7 0x55e87489c1e6 in handle_connections_sockets() /home/mysql/mariadb/sql/mysqld.cc:6263 #8 0x55e87489a613 in mysqld_main(int, char**) /home/mysql/mariadb/sql/mysqld.cc:5913 #9 0x55e87488206c in main /home/mysql/mariadb/sql/main.cc:34 #10 0x7f7100684082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:773 in __interceptor_memmove Shadow bytes around the buggy address: 0x0c528003d600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528003d610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528003d620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528003d630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c528003d640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c528003d650: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c528003d660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528003d670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528003d680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528003d690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c528003d6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==431==ABORTING