[#MDEV-17678] AddressSanitizer: heap-use-after-free in field

insert into `t2` (c1,c2) values (0,'1900-01-01 '),(0,'1988-03-26'),(0,'2027-12-03'),(1,'1971-12-28 '),(0,'2027-12-03'),(0,null),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2013-06-07 '),(null,'2027-12-03'),(1,'1900-01-01 '),(1,'2027-12-03'),(0,'1900-01-01 '),(0,'1900-01-01 '),(1,null),(null,'2027-12-03'),(null,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(null,'2027-12-03'),(0,'2027-12-03'),(0,null),(0,'1900-01-01 '),(1,'2027-12-03'),(1,'1998-02-01 '),(0,'2027-12-03'),(0,'1900-01-01 '),(1,'1982-06-01 '),(1,null),(null,'2027-12-03'),(0,'2027-12-03'),(1,null),(1,'2027-12-03'),(0,'1989-07-13 '),(1,'2024-02-01 '),(1,'2027-12-03'),(1,'2027-12-03'),(null,'2027-12-03'),(0,'2029-09-07 '),(0,null),(1,'2027-12-03'),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2013-02-14 '),(1,'2014-03-27 '),(1,null),(0,'2027-12-03'),(0,'2027-12-03'),(0,'2032-06-26 '),(1,'1998-05-18 '),(1,'2027-12-03'),(1,'1900-01-01 '),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,null),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'1900-01-01 '),(1,'2027-12-03'),(0,'1997-04-15 '),(0,null),(0,'2020-12-07 '),(1,null),(0,'2027-12-03'),(null,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03'),(0,'1993-02-13 '),(1,'2027-12-03'),(1,'2027-12-03'),(0,null),(0,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(0,'2027-12-03'),(1,'2027-12-03'),(0,'1900-01-01 '),(null,null),(1,'2027-12-03'),(1,'2027-12-03'),(1,'2027-12-03 '),(0,null),(null,null),(null,null),(1,'2027-12-03'),(null,null),(null,null),(0,null),(null,null),(null,null);

10.2 f3e9d9a6e6b2614b

   #0 0x5655322a1f64 in mi_uint5korr /git/10.2/include/byte_order_generic_x86_64.h:91

    #1 0x5655322a372d in my_datetime_packed_from_binary(unsigned char const*, unsigned int) /git/10.2/sql/compat56.cc:308

    #2 0x5655322e835e in Field_datetimef::get_TIME(st_mysql_time*, unsigned char const*, unsigned long long) const /git/10.2/sql/field.cc:6880

    #3 0x56553231040e in Field_datetimef::get_date(st_mysql_time*, unsigned long long) /git/10.2/sql/field.h:3008

    #4 0x5655322e7846 in Field_datetime_with_dec::val_str(String*, String*) /git/10.2/sql/field.cc:6821

    #5 0x565531bb7f89 in Field::val_str(String*) /git/10.2/sql/field.h:866

    #6 0x5655325811b6 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /git/10.2/sql/key.cc:369

    #7 0x565532581bf6 in key_unpack(String*, TABLE*, st_key*) /git/10.2/sql/key.cc:442

    #8 0x565532344873 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /git/10.2/sql/handler.cc:3339

    #9 0x565532344ab0 in print_keydup_error(TABLE*, st_key*, unsigned long) /git/10.2/sql/handler.cc:3361

    #10 0x5655329fdb6f in ha_myisam::repair(THD*, st_handler_check_param&, bool) /git/10.2/storage/myisam/ha_myisam.cc:1275

    #11 0x565532a003a0 in ha_myisam::enable_indexes(unsigned int) /git/10.2/storage/myisam/ha_myisam.cc:1606

    #12 0x565532a0121b in ha_myisam::end_bulk_insert() /git/10.2/storage/myisam/ha_myisam.cc:1756

    #13 0x565531d33446 in handler::ha_end_bulk_insert() /git/10.2/sql/handler.h:2912

    #14 0x565531f7ef3a in copy_data_between_tables /git/10.2/sql/sql_table.cc:10164

    #15 0x565531f7b286 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /git/10.2/sql/sql_table.cc:9572

    #16 0x56553209aad0 in Sql_cmd_alter_table::execute(THD*) /git/10.2/sql/sql_alter.cc:329

    #17 0x565531d82e55 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:6228

    #18 0x565531d8d694 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:8015

    #19 0x565531d68b80 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1826

    #20 0x565531d65d25 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1379

    #21 0x56553208cead in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1335

    #22 0x56553208c8b5 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241

    #23 0x56553323671d in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1862

    #24 0x7fcd07b626b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #25 0x7fcd06ff741c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

#10 0x5627f809d9c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

#13 0x55ec658409c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

#11 0x5636436c79c1 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /10.4/sql/sql_table.cc:9871

10.3 0c405b06

#3  <signal handler called>

#4  0x00005559ce5c9724 in err_conv (buff=0x7f3341ac3e88 "-1886417009", to_length=511, from=0x8f8f8f8f8f8f8f8f <error: Cannot access memory at address 0x8f8f8f8f8f8f8f8f>, from_length=143, from_cs=0x5559cfb87380 <my_charset_bin>) at /data/src/10.3/sql/sql_error.cc:874

#5  0x00005559ce517155 in ErrConvString::ptr (this=0x7f3341ac3e80) at /data/src/10.3/sql/sql_error.h:842

#6  0x00005559cea0d268 in field_unpack (to=0x7f3341ac4190, field=0x7f32f003b5e0, rec=0x7f32f0038098 "\001", max_length=64, prefix_key=true) at /data/src/10.3/sql/key.cc:398

#7  0x00005559cea0d497 in key_unpack (to=0x7f3341ac4190, table=0x7f32f0036cb0, key=0x7f32f003bae8) at /data/src/10.3/sql/key.cc:444

#8  0x00005559ce910307 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, msg=0x5559d0e2f431 "Duplicate entry '%-.64s' for key '%-.192s'", errflag=0) at /data/src/10.3/sql/handler.cc:3650

#9  0x00005559ce910449 in print_keydup_error (table=0x7f32f0036cb0, key=0x7f32f003bae8, errflag=0) at /data/src/10.3/sql/handler.cc:3673

#10 0x00005559cefa70fb in ha_myisam::repair (this=0x7f32f00378f8, thd=0x7f32f0000b00, param=..., do_optimize=false) at /data/src/10.3/storage/myisam/ha_myisam.cc:1281

#11 0x00005559cefa814b in ha_myisam::enable_indexes (this=0x7f32f00378f8, mode=2) at /data/src/10.3/storage/myisam/ha_myisam.cc:1612

#12 0x00005559cefa864c in ha_myisam::end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/storage/myisam/ha_myisam.cc:1773

#13 0x00005559ce5dbecf in handler::ha_end_bulk_insert (this=0x7f32f00378f8) at /data/src/10.3/sql/handler.h:3163

#14 0x00005559ce6f15da in copy_data_between_tables (thd=0x7f32f0000b00, from=0x7f32f0184320, to=0x7f32f0036cb0, create=..., ignore=false, order_num=0, order=0x0, copied=0x7f3341ac5e98, deleted=0x7f3341ac5ea0, keys_onoff=Alter_info::LEAVE_AS_IS, alter_ctx=0x7f3341ac68d0) at /data/src/10.3/sql/sql_table.cc:10541

#15 0x00005559ce6ef20b in mysql_alter_table (thd=0x7f32f0000b00, new_db=0x7f32f00051d8, new_name=0x7f32f0005598, create_info=0x7f3341ac74c0, table_list=0x7f32f0012940, alter_info=0x7f3341ac7400, order_num=0, order=0x0, ignore=false) at /data/src/10.3/sql/sql_table.cc:9900

#16 0x00005559ce77625d in Sql_cmd_alter_table::execute (this=0x7f32f00130c0, thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_alter.cc:488

#17 0x00005559ce617fee in mysql_execute_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:6285

#18 0x00005559ce61d300 in mysql_parse (thd=0x7f32f0000b00, rawbuf=0x7f32f0012808 "ALTER TABLE `t4_MyISAM` MODIFY `col_dec` DATE", length=45, parser_state=0x7f3341ac85f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:8091

#19 0x00005559ce60a350 in dispatch_command (command=COM_QUERY, thd=0x7f32f0000b00, packet=0x7f32f015fe71 "", packet_length=45, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1858

#20 0x00005559ce608d75 in do_command (thd=0x7f32f0000b00) at /data/src/10.3/sql/sql_parse.cc:1403

#21 0x00005559ce770825 in do_handle_one_connection (connect=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1402

#22 0x00005559ce77059c in handle_one_connection (arg=0x5559d1a38f30) at /data/src/10.3/sql/sql_connect.cc:1308

#23 0x00005559cf0454be in pfs_spawn_thread (arg=0x5559d19816f0) at /data/src/10.3/storage/perfschema/pfs.cc:1862

#24 0x00007f3349a3f4a4 in start_thread (arg=0x7f3341ac9700) at pthread_create.c:456

#25 0x00007f3347f87d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 d67e17bb

==3511405==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000035e0b at pc 0x559bc9d4bc51 bp 0x7f0cc68a6950 sp 0x7f0cc68a6940

READ of size 1 at 0x611000035e0b thread T5

    #0 0x559bc9d4bc50 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /data/src/10.4/sql/key.cc:377

    #1 0x559bc9d4c637 in key_unpack(String*, TABLE*, st_key*) /data/src/10.4/sql/key.cc:443

    #2 0x559bc9a95843 in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /data/src/10.4/sql/handler.cc:3709

    #3 0x559bc9a95afe in print_keydup_error(TABLE*, st_key*, unsigned long) /data/src/10.4/sql/handler.cc:3732

    #4 0x559bcab56546 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1320

    #5 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652

    #6 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847

    #7 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424

    #8 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945

    #9 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295

    #10 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520

    #11 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160

    #12 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958

    #13 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855

    #14 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373

    #15 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412

    #16 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316

    #17 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869

    #18 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

    #19 0x7f0cd014a292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x611000035e0b is located 139 bytes inside of 252-byte region [0x611000035d80,0x611000035e7c)

freed by thread T5 here:

    #0 0x7f0cd0ad77cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)

    #1 0x559bcae6647c in free_memory /data/src/10.4/mysys/safemalloc.c:279

    #2 0x559bcae65a38 in sf_free /data/src/10.4/mysys/safemalloc.c:197

    #3 0x559bcae33d23 in my_free /data/src/10.4/mysys/my_malloc.c:222

    #4 0x559bcab7d771 in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2559

    #5 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313

    #6 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652

    #7 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847

    #8 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424

    #9 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945

    #10 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295

    #11 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520

    #12 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160

    #13 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958

    #14 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855

    #15 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373

    #16 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412

    #17 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316

    #18 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869

    #19 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T5 here:

    #0 0x7f0cd0ad7bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)

    #1 0x559bcae653ec in sf_malloc /data/src/10.4/mysys/safemalloc.c:118

    #2 0x559bcae3322c in my_malloc /data/src/10.4/mysys/my_malloc.c:101

    #3 0x559bcae336f2 in my_realloc /data/src/10.4/mysys/my_malloc.c:155

    #4 0x559bcabdb6a7 in mi_alloc_rec_buff /data/src/10.4/storage/myisam/mi_open.c:762

    #5 0x559bcab79e8f in mi_repair_by_sort /data/src/10.4/storage/myisam/mi_check.c:2240

    #6 0x559bcab56353 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.4/storage/myisam/ha_myisam.cc:1313

    #7 0x559bcab58f59 in ha_myisam::enable_indexes(unsigned int) /data/src/10.4/storage/myisam/ha_myisam.cc:1652

    #8 0x559bcab5a5f5 in ha_myisam::end_bulk_insert() /data/src/10.4/storage/myisam/ha_myisam.cc:1847

    #9 0x559bc9a9a36e in handler::ha_end_bulk_insert() /data/src/10.4/sql/handler.cc:4424

    #10 0x559bc94faf07 in copy_data_between_tables /data/src/10.4/sql/sql_table.cc:10945

    #11 0x559bc94f57e5 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.4/sql/sql_table.cc:10295

    #12 0x559bc9676faa in Sql_cmd_alter_table::execute(THD*) /data/src/10.4/sql/sql_alter.cc:520

    #13 0x559bc928ce65 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6160

    #14 0x559bc9298c42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7958

    #15 0x559bc926f833 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1855

    #16 0x559bc926c2e2 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1373

    #17 0x559bc965e4c1 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412

    #18 0x559bc965dd65 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316

    #19 0x559bcad16cc2 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869

    #20 0x7f0cd08e1608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:

    #0 0x7f0cd0a04805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x559bcad170b3 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919

    #2 0x559bc8f75c78 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275

    #3 0x559bc8f8d84c in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259

    #4 0x559bc8f8dfe7 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329

    #5 0x559bc8f8e4cd in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427

    #6 0x559bc8f8f366 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585

    #7 0x559bc8f8cf51 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917

    #8 0x559bc8f73bec in main /data/src/10.4/sql/main.cc:25

    #9 0x7f0cd004f0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/key.cc:377 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool)

Shadow bytes around the buggy address:

  0x0c227fffeb70: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa

  0x0c227fffeb80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00

  0x0c227fffeb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c227fffeba0: 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa fa

  0x0c227fffebb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c227fffebc0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c227fffebd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd

  0x0c227fffebe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c227fffebf0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa

  0x0c227fffec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c227fffec10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3511405==ABORTING

=================================================================

==79871==ERROR: AddressSanitizer: heap-use-after-free on address 0x61f00047972d at pc 0x7f9ac056331e bp 0x7f9a931e95e0 sp 0x7f9a931e8d90

READ of size 4 at 0x61f00047972d thread T27

    #0 0x7f9ac056331d  (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)

    #1 0x55eb8a7f0f5d in UUID::Segment::record_to_memory(char*, char const*) const /10.10/plugin/type_uuid/sql_type_uuid.h:61

    #2 0x55eb8a7f1190 in UUID::record_to_memory(char*, char const*) /10.10/plugin/type_uuid/sql_type_uuid.h:99

    #3 0x55eb8a80272a in FixedBinTypeBundle<UUID>::Fbt::record_to_memory(char const*) /10.10/sql/sql_type_fixedbin.h:117

    #4 0x55eb8a802164 in FixedBinTypeBundle<UUID>::Field_fbt::to_fbt() const /10.10/sql/sql_type_fixedbin.h:1205

    #5 0x55eb8a7ff57c in FixedBinTypeBundle<UUID>::Field_fbt::val_str(String*, String*) /10.10/sql/sql_type_fixedbin.h:1210

    #6 0x55eb88632891 in Field::val_str(String*) /10.10/sql/field.h:1038

    #7 0x55eb895223d4 in field_unpack(String*, Field*, unsigned char const*, unsigned int, bool) /10.10/sql/key.cc:367

    #8 0x55eb89522efa in key_unpack(String*, TABLE*, st_key*) /10.10/sql/key.cc:441

    #9 0x55eb89217a6c in print_keydup_error(TABLE*, st_key*, char const*, unsigned long) /10.10/sql/handler.cc:4268

    #10 0x55eb89217d02 in print_keydup_error(TABLE*, st_key*, unsigned long) /10.10/sql/handler.cc:4291

    #11 0x55eb8a4b3fad in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1322

    #12 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #13 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #14 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #15 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #16 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #17 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #18 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #19 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #20 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #21 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #22 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #23 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #24 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

    #25 0x7f9abfd02efe in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf8efe)

0x61f00047972d is located 173 bytes inside of 3012-byte region [0x61f000479680,0x61f00047a244)

freed by thread T27 here:

    #0 0x7f9ac060cfb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)

    #1 0x55eb8a67a0bc in free_memory /10.10/mysys/safemalloc.c:297

    #2 0x55eb8a67956b in sf_free /10.10/mysys/safemalloc.c:203

    #3 0x55eb8a6486ff in my_free /10.10/mysys/my_malloc.c:211

    #4 0x55eb8a4d9ba6 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2560

    #5 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315

    #6 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #7 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #8 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #9 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #10 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #11 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #12 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #13 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #14 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #15 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #16 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #17 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #18 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

previously allocated by thread T27 here:

    #0 0x7f9ac060d330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)

    #1 0x55eb8a678f51 in sf_malloc /10.10/mysys/safemalloc.c:126

    #2 0x55eb8a647951 in my_malloc /10.10/mysys/my_malloc.c:90

    #3 0x55eb8a647ed5 in my_realloc /10.10/mysys/my_malloc.c:141

    #4 0x55eb8a5339ab in mi_alloc_rec_buff /10.10/storage/myisam/mi_open.c:762

    #5 0x55eb8a4d6291 in mi_repair_by_sort /10.10/storage/myisam/mi_check.c:2241

    #6 0x55eb8a4b3db3 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /10.10/storage/myisam/ha_myisam.cc:1315

    #7 0x55eb8a4b6865 in ha_myisam::enable_indexes(unsigned int) /10.10/storage/myisam/ha_myisam.cc:1654

    #8 0x55eb8a4b7e35 in ha_myisam::end_bulk_insert() /10.10/storage/myisam/ha_myisam.cc:1849

    #9 0x55eb8921c6bd in handler::ha_end_bulk_insert() /10.10/sql/handler.cc:5019

    #10 0x55eb88c33efb in copy_data_between_tables /10.10/sql/sql_table.cc:11707

    #11 0x55eb88c2ce61 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.10/sql/sql_table.cc:10877

    #12 0x55eb8893e02a in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4208

    #13 0x55eb88958d8a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036

    #14 0x55eb8892f436 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894

    #15 0x55eb8892c16c in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407

    #16 0x55eb88dcaa76 in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418

    #17 0x55eb88dca2fb in handle_one_connection /10.10/sql/sql_connect.cc:1312

    #18 0x55eb89a68740 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201

    #19 0x7f9ac00f9fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486

Thread T27 created by T0 here:

    #0 0x7f9ac0574db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)

    #1 0x55eb89a64260 in my_thread_create /10.10/storage/perfschema/my_thread.h:52

    #2 0x55eb89a68b2f in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252

    #3 0x55eb88581586 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139

    #4 0x55eb88598cc7 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015

    #5 0x55eb88599332 in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074

    #6 0x55eb885996a4 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136

    #7 0x55eb8859a0a3 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260

    #8 0x55eb8859852e in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910

    #9 0x55eb885807d4 in main /10.10/sql/main.cc:34

    #10 0x7f9abfc2e09a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x3f31d)

Shadow bytes around the buggy address:

  0x0c3e80087290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e800872a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x0c3e800872b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e800872c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3e800872d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3e800872e0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd

  0x0c3e800872f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3e80087330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==79871==ABORTING

SHUTDOWN_1655825062

[MDEV-17678] AddressSanitizer: heap-use-after-free in field_unpack upon modifying column type Created: 2018-11-12 Updated: 2023-11-28
Status:	Confirmed
Project:	MariaDB Server
Component/s:	Storage Engine - MyISAM, Virtual Columns
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s:	10.4, 10.5, 10.6

[MDEV-17678] AddressSanitizer: heap-use-after-free in field_unpack upon modifying column type Created: 2018-11-12 Updated: 2023-11-28