=================================================================

==7542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100000a598 at pc 0x557b20cef86e bp 0x7fd0fcefc140 sp 0x7fd0fcefc138

READ of size 4 at 0x61100000a598 thread T5

    #0 0x557b20cef86d in sf_malloc_usable_size /data/src/10.2/mysys/safemalloc.c:215

    #1 0x557b20cbe9dc in my_free /data/src/10.2/mysys/my_malloc.c:215

    #2 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091

    #3 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112

    #4 0x557b1f5ffb93 in Item::delete_self() /data/src/10.2/sql/item.h:1835

    #5 0x557b1f5ea4fc in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3559

    #6 0x557b1f5ddb00 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2174

    #7 0x557b20014302 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1344

    #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115

    #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909

    #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822

    #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999

    #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821

    #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375

    #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335

    #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862

    #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

    #18 0x7fd10776793e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x61100000a598 is located 88 bytes inside of 196-byte region [0x61100000a540,0x61100000a604)

freed by thread T5 here:

    #0 0x7fd1095eb527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)

    #1 0x557b20cf016b in free_memory /data/src/10.2/mysys/safemalloc.c:279

    #2 0x557b20cef771 in sf_free /data/src/10.2/mysys/safemalloc.c:197

    #3 0x557b20cbea12 in my_free /data/src/10.2/mysys/my_malloc.c:217

    #4 0x557b1fd4f86a in Regexp_processor_pcre::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2091

    #5 0x557b1fd4f9ca in Item_func_regex::cleanup() /data/src/10.2/sql/item_cmpfunc.h:2112

    #6 0x557b1f681255 in cleanup_items(Item*) /data/src/10.2/sql/sql_parse.cc:1132

    #7 0x557b2001420d in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1331

    #8 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115

    #9 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909

    #10 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822

    #11 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999

    #12 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821

    #13 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375

    #14 0x557b1f9c348b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335

    #15 0x557b1f9c2ea0 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241

    #16 0x557b203d08ff in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862

    #17 0x7fd109381493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:

    #0 0x7fd1095eb73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)

    #1 0x557b20ceeee1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118

    #2 0x557b20cbe14a in my_malloc /data/src/10.2/mysys/my_malloc.c:101

    #3 0x557b1f48c124 in my_str_malloc_mysqld /data/src/10.2/sql/mysqld.cc:3657

    #4 0x557b20df77b9 in pcre_compile2 /data/src/10.2/pcre/pcre_compile.c:9410

    #5 0x557b20df5c3b in pcre_compile /data/src/10.2/pcre/pcre_compile.c:9039

    #6 0x557b1fd3de89 in Regexp_processor_pcre::compile(String*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5458

    #7 0x557b1fd3e19b in Regexp_processor_pcre::compile(Item*, bool) /data/src/10.2/sql/item_cmpfunc.cc:5479

    #8 0x557b1fd3efa8 in Regexp_processor_pcre::fix_owner(Item_func*, Item*, Item*) /data/src/10.2/sql/item_cmpfunc.cc:5657

    #9 0x557b1fd3f289 in Item_func_regex::fix_length_and_dec() /data/src/10.2/sql/item_cmpfunc.cc:5684

    #10 0x557b1fd86a96 in Item_func::fix_fields(THD*, Item**) /data/src/10.2/sql/item_func.cc:240

    #11 0x557b1fd3f10c in Item_func_regex::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:5673

    #12 0x557b1fd36249 in Item_cond::fix_fields(THD*, Item**) /data/src/10.2/sql/item_cmpfunc.cc:4588

    #13 0x557b1f5993ce in setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**) /data/src/10.2/sql/sql_base.cc:7827

    #14 0x557b1f720c36 in setup_without_group /data/src/10.2/sql/sql_select.cc:640

    #15 0x557b1f722c55 in JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /data/src/10.2/sql/sql_select.cc:825

    #16 0x557b1f73f629 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3760

    #17 0x557b1f71ef66 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376

    #18 0x557b1f6a20d5 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6474

    #19 0x557b1f68ee78 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3480

    #20 0x557b2001ef2d in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3244

    #21 0x557b2001db78 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.2/sql/sp_head.cc:3007

    #22 0x557b2001e7f7 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.2/sql/sp_head.cc:3160

    #23 0x557b20014178 in sp_head::execute(THD*, bool) /data/src/10.2/sql/sp_head.cc:1326

    #24 0x557b20017f65 in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.2/sql/sp_head.cc:2115

    #25 0x557b1f68b3fc in do_execute_sp /data/src/10.2/sql/sql_parse.cc:2909

    #26 0x557b1f69d734 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:5822

    #27 0x557b1f6aad4e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7999

    #28 0x557b1f6858be in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1821

    #29 0x557b1f682962 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1375

Thread T5 created by T0 here:

    #0 0x7fd1095babba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)

    #1 0x557b203d0ec7 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912

    #2 0x557b1f47f91e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239

    #3 0x557b1f494809 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6451

    #4 0x557b1f494f0e in create_new_thread /data/src/10.2/sql/mysqld.cc:6521

    #5 0x557b1f495f1f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6796

    #6 0x557b1f493d5e in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6070

    #7 0x557b1f47dcbf in main /data/src/10.2/sql/main.cc:25

    #8 0x7fd10769f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/safemalloc.c:215 sf_malloc_usable_size

Shadow bytes around the buggy address:

  0x0c227fff9460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff9470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff9480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff9490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff94a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

=>0x0c227fff94b0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c227fff94c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fff94d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c227fff94e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa

  0x0c227fff94f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c227fff9500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Contiguous container OOB:fc

  ASan internal:           fe

==7542==ABORTING

DELIMITER $$;

CREATE PROCEDURE p1(m1 varchar(5))

BEGIN

  SELECT a FROM (SELECT "aa" a) t WHERE t.a regexp m1;

END$$

DELIMITER ;$$

CALL p1('a');

DELIMITER $$;

CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT

BEGIN

  RETURN 1;

END;$$

CREATE OR REPLACE PROCEDURE p1(m1 varchar(5))

BEGIN

  SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, m1);

END$$

DELIMITER ;$$

CALL p1('a');

==19487==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x560c6f43577a bp 0x7f08dda18b40 sp 0x7f08dda18b30 T5)

==19487==The signal is caused by a READ memory access.

==19487==Hint: address points to the zero page.

    #0 0x560c6f435779 in Item_func_sp::cleanup() /home/bar/maria-git/server.10.2.asan/sql/item_func.cc:6502

    #1 0x560c6ebcd245 in Item::delete_self() /home/bar/maria-git/server.10.2.asan/sql/item.h:1841

    #2 0x560c6ebb717f in Query_arena::free_items() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:3462

    #3 0x560c6eba9d5a in THD::cleanup_after_query() /home/bar/maria-git/server.10.2.asan/sql/sql_class.cc:2077

    #4 0x560c6f6bcbc8 in sp_head::execute(THD*, bool) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:1345

    #5 0x560c6f6c12d8 in sp_head::execute_procedure(THD*, List<Item>*) /home/bar/maria-git/server.10.2.asan/sql/sp_head.cc:2116

    #6 0x560c6ec67825 in do_execute_sp /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:2909

    #7 0x560c6ec7d11a in mysql_execute_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:5822

    #8 0x560c6ec8c2ec in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.

    #9 0x560c6ec61150 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/bar/maria-git/server.10.2.asan/sql

    #10 0x560c6ec5d924 in do_command(THD*) /home/bar/maria-git/server.10.2.asan/sql/sql_parse.cc:1374

    #11 0x560c6effdc89 in do_handle_one_connection(CONNECT*) /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1335

    #12 0x560c6effd584 in handle_one_connection /home/bar/maria-git/server.10.2.asan/sql/sql_connect.cc:1241

    #13 0x560c70590fed in pfs_spawn_thread /home/bar/maria-git/server.10.2.asan/storage/perfschema/pfs.cc:1862

    #14 0x7f08e915136c in start_thread (/lib64/libpthread.so.0+0x736c)

    #15 0x7f08e7d10b9e in clone (/lib64/libc.so.6+0x110b9e)

DELIMITER $$;

CREATE OR REPLACE FUNCTION f1(a VARCHAR(10), b VARCHAR(10)) RETURNS INT

BEGIN

  RETURN 1;

END;$$

DELIMITER ;$$

SELECT a FROM (SELECT "aa" a) t WHERE f1(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));

SELECT a FROM (SELECT "aa" a) t WHERE REGEXP_INSTR(t.a, (SELECT MAX('aa') FROM DUAL LIMIT 1));