PREPARE stmt FROM "CREATE ROLE IF NOT EXISTS r WITH ADMIN u";

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP ROLE r;

#3  <signal handler called>

#4  0x00007f6eea8135c2 in __strcmp_sse2_unaligned () from /lib/x86_64-linux-gnu/libc.so.6

#5  0x000055ed09b38f90 in sp_process_definer (thd=0x7f6ee34d5070) at /data/src/10.1/sql/sql_parse.cc:2305

#6  0x000055ed09abf95e in mysql_create_user (thd=0x7f6ee34d5070, list=..., handle_as_role=true) at /data/src/10.1/sql/sql_acl.cc:9440

#7  0x000055ed09b401fe in mysql_execute_command (thd=0x7f6ee34d5070) at /data/src/10.1/sql/sql_parse.cc:4656

#8  0x000055ed09b62d6f in Prepared_statement::execute (this=0x7f6ee1986470, expanded_query=0x7f6eec6179e0, open_cursor=false) at /data/src/10.1/sql/sql_prepare.cc:4322

#9  0x000055ed09b61bd5 in Prepared_statement::execute_loop (this=0x7f6ee1986470, expanded_query=0x7f6eec6179e0, open_cursor=false, packet=0x0, packet_end=0x0) at /data/src/10.1/sql/sql_prepare.cc:3954

#10 0x000055ed09b5fc0a in mysql_sql_stmt_execute (thd=0x7f6ee34d5070) at /data/src/10.1/sql/sql_prepare.cc:3070

#11 0x000055ed09b3adad in mysql_execute_command (thd=0x7f6ee34d5070) at /data/src/10.1/sql/sql_parse.cc:3005

#12 0x000055ed09b485eb in mysql_parse (thd=0x7f6ee34d5070, rawbuf=0x7f6ee1843088 "EXECUTE stmt", length=12, parser_state=0x7f6eec6185e0) at /data/src/10.1/sql/sql_parse.cc:7467

#13 0x000055ed09b36e3c in dispatch_command (command=COM_QUERY, thd=0x7f6ee34d5070, packet=0x7f6ee5ff9071 "EXECUTE stmt", packet_length=12) at /data/src/10.1/sql/sql_parse.cc:1495

#14 0x000055ed09b35bc1 in do_command (thd=0x7f6ee34d5070) at /data/src/10.1/sql/sql_parse.cc:1124

#15 0x000055ed09c70720 in do_handle_one_connection (thd_arg=0x7f6ee34d5070) at /data/src/10.1/sql/sql_connect.cc:1330

#16 0x000055ed09c70484 in handle_one_connection (arg=0x7f6ee34d5070) at /data/src/10.1/sql/sql_connect.cc:1242

#17 0x000055ed0a02e7c6 in pfs_spawn_thread (arg=0x7f6ee9c39ef0) at /data/src/10.1/storage/perfschema/pfs.cc:1861

#18 0x00007f6eec298494 in start_thread (arg=0x7f6eec619b00) at pthread_create.c:333

#19 0x00007f6eea86c93f in clone () from /lib/x86_64-linux-gnu/libc.so.6

==3638==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000233a8 at pc 0x561aefe67c7b bp 0x7fbee14fe610 sp 0x7fbee14fe608

READ of size 8 at 0x62b0000233a8 thread T6

    #0 0x561aefe67c7a in get_current_user(THD*, st_lex_user*, bool) /data/src/10.1/sql/sql_acl.cc:11078

    #1 0x561aeff78d83 in sp_process_definer(THD*) /data/src/10.1/sql/sql_parse.cc:2295

    #2 0x561aefe52c0c in mysql_create_user(THD*, List<st_lex_user>&, bool) /data/src/10.1/sql/sql_acl.cc:9440

    #3 0x561aeff8c0aa in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:4656

    #4 0x561aeffce56e in Prepared_statement::execute(String*, bool) /data/src/10.1/sql/sql_prepare.cc:4322

    #5 0x561aeffcf11f in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.1/sql/sql_prepare.cc:3954

    #6 0x561aeffd0596 in mysql_sql_stmt_execute(THD*) /data/src/10.1/sql/sql_prepare.cc:3070

    #7 0x561aeff7e072 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:3005

    #8 0x561aeff96279 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7467

    #9 0x561aeff9d05d in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1/sql/sql_parse.cc:1495

    #10 0x561aeffa37e9 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1124

    #11 0x561af024ae9d in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1330

    #12 0x561af024b3ae in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242

    #13 0x561af0b1a118 in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1861

    #14 0x7fbeeda2a493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

    #15 0x7fbeebffe93e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x62b0000233a8 is located 424 bytes inside of 24716-byte region [0x62b000023200,0x62b00002928c)

allocated by thread T6 here:

    #0 0x7fbeedc9473f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)

    #1 0x561af12e37df in sf_malloc /data/src/10.1/mysys/safemalloc.c:115

    #2 0x561af13fc05a (/data/bld/10.1-asan/bin/mysqld+0x1dbc05a)

Thread T6 created by T0 here:

    #0 0x7fbeedc63bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)

    #1 0x561af0b2596f in spawn_thread_v1 /data/src/10.1/storage/perfschema/pfs.cc:1911

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.1/sql/sql_acl.cc:11078 get_current_user(THD*, st_lex_user*, bool)

Shadow bytes around the buggy address:

  0x0c567fffc620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c567fffc630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c567fffc640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c567fffc650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00

  0x0c567fffc660: 05 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c567fffc670: 00 00 00 00 07[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c567fffc680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c567fffc690: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c567fffc6a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c567fffc6b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c567fffc6c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Heap right redzone:      fb

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack partial redzone:   f4

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Contiguous container OOB:fc

  ASan internal:           fe

==3638==ABORTING

CREATE PROCEDURE sp() CREATE ROLE r WITH ADMIN u;

CALL sp;

--error ER_CANNOT_USER

CALL sp;

# Cleanup

DROP PROCEDURE sp;

DROP ROLE r;