[MDEV-19817] Server crashes in Multiupdate_prelocking_strategy::handle_end upon UPDATE with view and foreign key Created: 2019-06-20  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Update, Locking
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.4, 10.5, 10.6, 10.11

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-9674 Server crash on large transaction com... Closed
relates to MDEV-21630 Server crashes in mysql_derived_prepa... Confirmed

 Description   

The test case is highly non-deterministic, run with --repeat=N. Depending on the build type, it fails for me within 10-50 attempts, but it can vary a lot on different machines and builds.

--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a INT, KEY(a)) ENGINE=InnoDB;
 
CREATE TABLE t2 (b INT) ENGINE=InnoDB;
 
CREATE  VIEW v2 AS SELECT * FROM t2;
 
 
 
--connect (con1,localhost,root,,test)
 
ALTER TABLE t2 ADD FOREIGN KEY(b) REFERENCES t1 (a) ON UPDATE CASCADE;
 
--send
 
  UPDATE t1, v2 SET t1.a = 1;
 
 
 
--connection default
 
DROP TABLE IF EXISTS x;
 
FLUSH TABLES;
 
 
 
--connection con1
 
--reap
 
--disconnect con1
 
--connection default
 
DROP VIEW v2;
 
DROP TABLE t2, t1;

10.3 192aa295

 
#3  <signal handler called>
 
#4  0x0000563be5379131 in unsafe_key_update (leaves=..., tables_for_update=1) at /data/src/10.3/sql/sql_update.cc:1371
 
#5  0x0000563be5379a43 in Multiupdate_prelocking_strategy::handle_end (this=0x7f91ed4cdc90, thd=0x7f9198000b00) at /data/src/10.3/sql/sql_update.cc:1586
 
#6  0x0000563be51f0174 in open_tables (thd=0x7f9198000b00, options=..., start=0x7f91ed4cdc68, counter=0x7f91ed4cdc64, flags=0, prelocking_strategy=0x7f91ed4cdc90) at /data/src/10.3/sql/sql_base.cc:4272
 
#7  0x0000563be5374f74 in open_tables (thd=0x7f9198000b00, tables=0x7f91ed4cdc68, counter=0x7f91ed4cdc64, flags=0, prelocking_strategy=0x7f91ed4cdc90) at /data/src/10.3/sql/sql_base.h:251
 
#8  0x0000563be5379fb4 in mysql_multi_update_prepare (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_update.cc:1709
 
#9  0x0000563be527dadc in mysql_execute_command (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_parse.cc:4327
 
#10 0x0000563be5289012 in mysql_parse (thd=0x7f9198000b00, rawbuf=0x7f9198011448 "UPDATE t1, v2 SET t1.a = 1", length=26, parser_state=0x7f91ed4ce5f0, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:7829
 
#11 0x0000563be5276c10 in dispatch_command (command=COM_QUERY, thd=0x7f9198000b00, packet=0x7f9198008c61 "UPDATE t1, v2 SET t1.a = 1", packet_length=26, is_com_multi=false, is_next_command=false) at /data/src/10.3/sql/sql_parse.cc:1856
 
#12 0x0000563be5275633 in do_command (thd=0x7f9198000b00) at /data/src/10.3/sql/sql_parse.cc:1401
 
#13 0x0000563be53deb55 in do_handle_one_connection (connect=0x563be88a02b0) at /data/src/10.3/sql/sql_connect.cc:1402
 
#14 0x0000563be53de8cc in handle_one_connection (arg=0x563be88a02b0) at /data/src/10.3/sql/sql_connect.cc:1308
 
#15 0x0000563be5cb7b02 in pfs_spawn_thread (arg=0x563be87e8d50) at /data/src/10.3/storage/perfschema/pfs.cc:1862
 
#16 0x00007f91f5cf04a4 in start_thread (arg=0x7f91ed4cf700) at pthread_create.c:456
 
#17 0x00007f91f4238d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.3 192aa295 ASAN

 
==4418==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190003c5b70 at pc 0x556d0deb973b bp 0x7f1d185bbf90 sp 0x7f1d185bbf88
 
READ of size 8 at 0x6190003c5b70 thread T28
 
    #0 0x556d0deb973a in Item_field::used_tables() const /data/src/10.3/sql/item.cc:3548
 
    #1 0x556d0d65b226 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /data/src/10.3/sql/sql_base.cc:7489
 
    #2 0x556d0da0399b in setup_fields_with_no_wrap(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, bool) /data/src/10.3/sql/sql_base.h:377
 
    #3 0x556d0d9f6b28 in Multiupdate_prelocking_strategy::handle_end(THD*) /data/src/10.3/sql/sql_update.cc:1572
 
    #4 0x556d0d649415 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4272
 
    #5 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
 
    #6 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
 
    #7 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
 
    #8 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
 
    #9 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #10 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #11 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #12 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #13 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #14 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #15 0x7f1d2e483d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x6190003c5b70 is located 240 bytes inside of 1100-byte region [0x6190003c5a80,0x6190003c5ecc)
 
freed by thread T28 here:
 
    #0 0x7f1d30212a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x556d0ef99e56 in free_memory /data/src/10.3/mysys/safemalloc.c:279
 
    #2 0x556d0ef994f8 in sf_free /data/src/10.3/mysys/safemalloc.c:197
 
    #3 0x556d0ef6bb2a in my_free /data/src/10.3/mysys/my_malloc.c:223
 
    #4 0x556d0ef4ce12 in free_root /data/src/10.3/mysys/my_alloc.c:429
 
    #5 0x556d0da3178d in closefrm(TABLE*) /data/src/10.3/sql/table.cc:3629
 
    #6 0x556d0dc8f3d1 in intern_close_table /data/src/10.3/sql/table_cache.cc:222
 
    #7 0x556d0dc8f638 in tc_remove_table /data/src/10.3/sql/table_cache.cc:260
 
    #8 0x556d0dc908fd in tc_release_table(TABLE*) /data/src/10.3/sql/table_cache.cc:474
 
    #9 0x556d0d63a8d4 in close_thread_table(THD*, TABLE**) /data/src/10.3/sql/sql_base.cc:920
 
    #10 0x556d0d63a035 in close_thread_tables(THD*) /data/src/10.3/sql/sql_base.cc:862
 
    #11 0x556d0d650011 in close_tables_for_reopen(THD*, TABLE_LIST**, MDL_savepoint const&) /data/src/10.3/sql/sql_base.cc:5493
 
    #12 0x556d0d648eaf in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4184
 
    #13 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
 
    #14 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
 
    #15 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
 
    #16 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
 
    #17 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #18 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #19 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #20 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #21 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #22 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T28 here:
 
    #0 0x7f1d30212d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x556d0ef98ef8 in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
 
    #2 0x556d0ef6b271 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
 
    #3 0x556d0ef4be62 in alloc_root /data/src/10.3/mysys/my_alloc.c:250
 
    #4 0x556d0ef4d451 in strmake_root /data/src/10.3/mysys/my_alloc.c:480
 
    #5 0x556d0da2db80 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/src/10.3/sql/table.cc:3186
 
    #6 0x556d0d63eda5 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/src/10.3/sql/sql_base.cc:1979
 
    #7 0x556d0d646688 in open_and_process_table /data/src/10.3/sql/sql_base.cc:3666
 
    #8 0x556d0d648e56 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/src/10.3/sql/sql_base.cc:4161
 
    #9 0x556d0d9eca66 in open_tables /data/src/10.3/sql/sql_base.h:251
 
    #10 0x556d0d9f7814 in mysql_multi_update_prepare(THD*) /data/src/10.3/sql/sql_update.cc:1709
 
    #11 0x556d0d7932dd in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4327
 
    #12 0x556d0d7a96c9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7829
 
    #13 0x556d0d78571f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1856
 
    #14 0x556d0d7826d9 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1401
 
    #15 0x556d0dae6e4f in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1402
 
    #16 0x556d0dae682b in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #17 0x556d0ee70f15 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1862
 
    #18 0x7f1d2ff3b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T28 created by T0 here:
 
    #0 0x7f1d30181f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x556d0ee71351 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1912
 
    #2 0x556d0d4fe730 in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1268
 
    #3 0x556d0d513581 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6605
 
    #4 0x556d0d513c64 in create_new_thread /data/src/10.3/sql/mysqld.cc:6675
 
    #5 0x556d0d514c7c in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6950
 
    #6 0x556d0d512a51 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6227
 
    #7 0x556d0d4fce4f in main /data/src/10.3/sql/main.cc:25
 
    #8 0x7f1d2e3bb2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.3/sql/item.cc:3548 in Item_field::used_tables() const
 
Shadow bytes around the buggy address:
 
  0x0c3280070b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070b30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
 
  0x0c3280070b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3280070b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3280070b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
 
  0x0c3280070b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3280070bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==4418==ABORTING

All of debug, non-debug and ASAN builds fail, but it takes longer on non-debug.
Couldn't reproduce with the provided test case on 10.4, maybe it's just the matter of luck or different dynamics, or maybe the problem really doesn't exist there.

 Comments   
Comment by Elena Stepanova [ 2020-10-20 ]

Still reproducible on 10.1-10.3 (and not reproducible on 10.4+).

Comment by Alice Sherepa [ 2021-03-04 ]

I've got smth similar on 10.5:

10.5 aa4f76bed715ec1016260f5

 
=================================================================
 
==48550==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000b86148 at pc 0x55ad7536a37d bp 0x7f627de02ef0 sp 0x7f627de02ee8
 
READ of size 8 at 0x61d000b86148 thread T36
 
    #0 0x55ad7536a37c in Item_field::used_tables() const /10.5/sql/item.cc:3410
 
    #1 0x55ad749a9e58 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /10.5/sql/sql_base.cc:7660
 
    #2 0x55ad74e2faaf in setup_fields_with_no_wrap(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, bool) /10.5/sql/sql_base.h:380
 
    #3 0x55ad74e20fed in Multiupdate_prelocking_strategy::handle_end(THD*) /10.5/sql/sql_update.cc:1727
 
    #4 0x55ad749963ea in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.5/sql/sql_base.cc:4386
 
    #5 0x55ad74e12b8d in open_tables /10.5/sql/sql_base.h:263
 
    #6 0x55ad74e2214d in mysql_multi_update_prepare(THD*) /10.5/sql/sql_update.cc:1868
 
    #7 0x55ad74b26f5a in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:4483
 
    #8 0x55ad74b3fc29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:8063
 
    #9 0x55ad74b16471 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1889
 
    #10 0x55ad74b12d7f in do_command(THD*) /10.5/sql/sql_parse.cc:1370
 
    #11 0x55ad74f41809 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1410
 
    #12 0x55ad74f41166 in handle_one_connection /10.5/sql/sql_connect.cc:1312
 
    #13 0x55ad75c080f9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #14 0x7f62a0cbffa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
    #15 0x7f62a02c64ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)
 
 
 
0x61d000b86148 is located 200 bytes inside of 2108-byte region [0x61d000b86080,0x61d000b868bc)
 
freed by thread T22 here:
 
    #0 0x7f62a0dc1fb0 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x55ad7686980a in free_memory /10.5/mysys/safemalloc.c:280
 
    #2 0x55ad76868e38 in sf_free /10.5/mysys/safemalloc.c:198
 
    #3 0x55ad76837e2c in my_free /10.5/mysys/my_malloc.c:211
 
    #4 0x55ad76814b23 in free_root /10.5/mysys/my_alloc.c:410
 
    #5 0x55ad74e66fea in closefrm(TABLE*) /10.5/sql/table.cc:4345
 
    #6 0x55ad7514c9c9 in intern_close_table /10.5/sql/table_cache.cc:220
 
    #7 0x55ad751548c2 in TDC_element::flush_unused(bool) /10.5/sql/table_cache.cc:1292
 
    #8 0x55ad75154502 in TDC_element::flush(THD*, bool) /10.5/sql/table_cache.cc:1257
 
    #9 0x55ad74985fc8 in wait_while_table_is_used(THD*, TABLE*, ha_extra_function) /10.5/sql/sql_base.cc:1316
 
    #10 0x55ad74dc07b1 in simple_rename_or_index_change /10.5/sql/sql_table.cc:9679
 
    #11 0x55ad74dc4e8f in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /10.5/sql/sql_table.cc:10352
 
    #12 0x55ad74f5d389 in Sql_cmd_alter_table::execute(THD*) /10.5/sql/sql_alter.cc:539
 
    #13 0x55ad74b326c4 in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:6024
 
    #14 0x55ad74b3fc29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:8063
 
    #15 0x55ad74b16471 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1889
 
    #16 0x55ad74b12d7f in do_command(THD*) /10.5/sql/sql_parse.cc:1370
 
    #17 0x55ad74f41809 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1410
 
    #18 0x55ad74f41166 in handle_one_connection /10.5/sql/sql_connect.cc:1312
 
    #19 0x55ad75c080f9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #20 0x7f62a0cbffa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T36 here:
 
    #0 0x7f62a0dc2330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x55ad7686881e in sf_malloc /10.5/mysys/safemalloc.c:121
 
    #2 0x55ad7683707e in my_malloc /10.5/mysys/my_malloc.c:90
 
    #3 0x55ad76813b97 in alloc_root /10.5/mysys/my_alloc.c:244
 
    #4 0x55ad768151f3 in memdup_root /10.5/mysys/my_alloc.c:479
 
    #5 0x55ad75272b06 in Field::clone(st_mem_root*, TABLE*) /10.5/sql/field.cc:2551
 
    #6 0x55ad74e64371 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /10.5/sql/table.cc:4025
 
    #7 0x55ad7498973c in open_table(THD*, TABLE_LIST*, Open_table_context*) /10.5/sql/sql_base.cc:2001
 
    #8 0x55ad749931bc in open_and_process_table /10.5/sql/sql_base.cc:3801
 
    #9 0x55ad74995cfc in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.5/sql/sql_base.cc:4275
 
    #10 0x55ad74e12b8d in open_tables /10.5/sql/sql_base.h:263
 
    #11 0x55ad74e2214d in mysql_multi_update_prepare(THD*) /10.5/sql/sql_update.cc:1868
 
    #12 0x55ad74b26f5a in mysql_execute_command(THD*) /10.5/sql/sql_parse.cc:4483
 
    #13 0x55ad74b3fc29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.5/sql/sql_parse.cc:8063
 
    #14 0x55ad74b16471 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.5/sql/sql_parse.cc:1889
 
    #15 0x55ad74b12d7f in do_command(THD*) /10.5/sql/sql_parse.cc:1370
 
    #16 0x55ad74f41809 in do_handle_one_connection(CONNECT*, bool) /10.5/sql/sql_connect.cc:1410
 
    #17 0x55ad74f41166 in handle_one_connection /10.5/sql/sql_connect.cc:1312
 
    #18 0x55ad75c080f9 in pfs_spawn_thread /10.5/storage/perfschema/pfs.cc:2201
 
    #19 0x7f62a0cbffa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T36 created by T0 here:
 
    #0 0x7f62a0d29db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x55ad75c02ff0 in my_thread_create /10.5/storage/perfschema/my_thread.h:38
 
    #2 0x55ad75c084e8 in pfs_spawn_thread_v1 /10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x55ad7481ad6c in inline_mysql_thread_create /10.5/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x55ad748302a1 in create_thread_to_handle_connection(CONNECT*) /10.5/sql/mysqld.cc:6012
 
    #5 0x55ad7483090f in create_new_thread(CONNECT*) /10.5/sql/mysqld.cc:6071
 
    #6 0x55ad74830c73 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/sql/mysqld.cc:6136
 
    #7 0x55ad748318b2 in handle_connections_sockets() /10.5/sql/mysqld.cc:6263
 
    #8 0x55ad7482fb08 in mysqld_main(int, char**) /10.5/sql/mysqld.cc:5658
 
    #9 0x55ad74819774 in main /10.5/sql/main.cc:25
 
    #10 0x7f62a01f109a in __libc_start_main ../csu/libc-start.c:308
 
 
 
Thread T22 created by T0 here:
 
    #0 0x7f62a0d29db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x55ad75c02ff0 in my_thread_create /10.5/storage/perfschema/my_thread.h:38
 
    #2 0x55ad75c084e8 in pfs_spawn_thread_v1 /10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x55ad7481ad6c in inline_mysql_thread_create /10.5/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x55ad748302a1 in create_thread_to_handle_connection(CONNECT*) /10.5/sql/mysqld.cc:6012
 
    #5 0x55ad7483090f in create_new_thread(CONNECT*) /10.5/sql/mysqld.cc:6071
 
    #6 0x55ad74830c73 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.5/sql/mysqld.cc:6136
 
    #7 0x55ad748318b2 in handle_connections_sockets() /10.5/sql/mysqld.cc:6263
 
    #8 0x55ad7482fb08 in mysqld_main(int, char**) /10.5/sql/mysqld.cc:5658
 
    #9 0x55ad74819774 in main /10.5/sql/main.cc:25
 
    #10 0x7f62a01f109a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.5/sql/item.cc:3410 in Item_field::used_tables() const
 
Shadow bytes around the buggy address:
 
  0x0c3a80168bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a80168be0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
 
  0x0c3a80168bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3a80168c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c3a80168c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c3a80168c20: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
 
  0x0c3a80168c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a80168c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a80168c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a80168c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3a80168c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==48550==ABORTING

Comment by Elena Stepanova [ 2021-03-25 ]

Below is a slightly different test case, also non-deterministic, but seemingly more reliable (currently fails for me within a few attempts).
Until recently it was failing with the same stack traces as in the initial description.
However, after this patch

commit b22285e4821b49546de9b88990bbc9c453dc14b2
 
Author: Igor Babaev
 
Date:   Tue Jan 19 08:02:37 2021 -0800
 
 
 
    MDEV-16940 Server crashes in unsafe_key_update upon attempt to update view
 
               through 2nd execution of SP

it started failing in a different fashion:

10.2 b22285e4821b49546de9b88990bbc9c453dc14b2

 
#3  <signal handler called>
 
#4  Item_field::used_tables (this=0x7ff334016ff0) at /data/src/10.2-bug/sql/item.cc:2936
 
#5  0x000055b0471e4e7e in Item_direct_view_ref::used_tables (this=0x7ff33406b568) at /data/src/10.2-bug/sql/item.cc:10778
 
#6  0x000055b046ec7bf5 in Used_tables_and_const_cache::used_tables_and_const_cache_join (this=0x7ff334013818, item=0x7ff33406b568) at /data/src/10.2-bug/sql/item.h:4205
 
#7  0x000055b046ec7c7e in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x7ff334013818, item=0x7ff33406b568) at /data/src/10.2-bug/sql/item.h:4211
 
#8  0x000055b046ec7ccc in Used_tables_and_const_cache::used_tables_and_const_cache_update_and_join (this=0x7ff334013818, argc=2, argv=0x7ff334013800) at /data/src/10.2-bug/sql/item.h:4222
 
#9  0x000055b046ec91d8 in Item_func::update_used_tables (this=0x7ff334013770) at /data/src/10.2-bug/sql/item_func.h:144
 
#10 0x000055b046f1c600 in st_select_lex::update_used_tables (this=0x7ff3340050c8) at /data/src/10.2-bug/sql/sql_lex.cc:4246
 
#11 0x000055b046f6d241 in JOIN::optimize_inner (this=0x7ff33406c820) at /data/src/10.2-bug/sql/sql_select.cc:1233
 
#12 0x000055b046f6cc1a in JOIN::optimize (this=0x7ff33406c820) at /data/src/10.2-bug/sql/sql_select.cc:1117
 
#13 0x000055b046f76174 in mysql_select (thd=0x7ff334000d90, tables=0x7ff334012858, wild_num=0, fields=..., conds=0x7ff3340155d8, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=1342177408, result=0x7ff33406c758, unit=0x7ff334004988, select_lex=0x7ff3340050c8) at /data/src/10.2-bug/sql/sql_select.cc:3822
 
#14 0x000055b04702301e in mysql_multi_update (thd=0x7ff334000d90, table_list=0x7ff334012858, fields=0x7ff3340051f0, values=0x7ff3340056d0, conds=0x7ff3340155d8, options=0, handle_duplicates=DUP_ERROR, ignore=false, unit=0x7ff334004988, select_lex=0x7ff3340050c8, result=0x7ff382163d10) at /data/src/10.2-bug/sql/sql_update.cc:1641
 
#15 0x000055b046f2ccf2 in mysql_execute_command (thd=0x7ff334000d90) at /data/src/10.2-bug/sql/sql_parse.cc:4109
 
#16 0x000055b046f38729 in mysql_parse (thd=0x7ff334000d90, rawbuf=0x7ff3340126f8 "UPDATE t1 LEFT JOIN v2 ON ( t1.a != v2.c ) SET v2.b = 40 WHERE NOT EXISTS ( SELECT * FROM t3 )", length=94, parser_state=0x7ff3821645f0, is_com_multi=false, is_next_command=false) at /data/src/10.2-bug/sql/sql_parse.cc:7763
 
#17 0x000055b046f26a14 in dispatch_command (command=COM_QUERY, thd=0x7ff334000d90, packet=0x7ff334008b51 "UPDATE t1 LEFT JOIN v2 ON ( t1.a != v2.c ) SET v2.b = 40 WHERE NOT EXISTS ( SELECT * FROM t3 )", packet_length=94, is_com_multi=false, is_next_command=false) at /data/src/10.2-bug/sql/sql_parse.cc:1827
 
#18 0x000055b046f2550f in do_command (thd=0x7ff334000d90) at /data/src/10.2-bug/sql/sql_parse.cc:1381
 
#19 0x000055b047080a8a in do_handle_one_connection (connect=0x55b0492a3b00) at /data/src/10.2-bug/sql/sql_connect.cc:1336
 
#20 0x000055b0470807ef in handle_one_connection (arg=0x55b0492a3b00) at /data/src/10.2-bug/sql/sql_connect.cc:1241
 
#21 0x000055b0478aa33e in pfs_spawn_thread (arg=0x55b04959e2c0) at /data/src/10.2-bug/storage/perfschema/pfs.cc:1869
 
#22 0x00007ff38820e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#23 0x00007ff387de8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95


--source include/have_innodb.inc
 
 
 
CREATE TABLE t1 (a CHAR(10)) ENGINE=InnoDB;
 
INSERT INTO t1 VALUES ('foo'),('bar'); # Optional, fails either way
 
 
 
CREATE TABLE t2 (
 
  b INT,
 
  c CHAR(10),
 
  KEY (b)
 
) ENGINE=InnoDB;
 
CREATE VIEW v2 AS SELECT * FROM t2;
 
 
 
CREATE TABLE t3 (
 
  d INT,
 
  FOREIGN KEY fk (d) REFERENCES t2 (b) ON UPDATE SET NULL
 
) ENGINE=InnoDB;
 
 
 
--connect (con1,localhost,root,,test)
 
--send
 
  ALTER TABLE t3 DROP FOREIGN KEY fk, ALGORITHM=COPY;
 
 
 
--connection default
 
UPDATE t1 LEFT JOIN v2 ON ( t1.a != v2.c ) SET v2.b = 40 WHERE NOT EXISTS ( SELECT * FROM t3 );
 
 
 
# Cleanup
 
--connection con1
 
--reap
 
--disconnect con1
 
--connection default
 
DROP VIEW v2;
 
DROP TABLE t3, t2, t1;

Comment by Elena Stepanova [ 2021-05-11 ]

This comes up in random tests regularly, but so far it's been impossible to come up with a specific test case for this, because for every occasion of this assertion failure there are hundreds crashes (on the same query) similar to the description or comments.

10.3 72753d2b

 
mysqld: /home/elenst/src/10.3/sql/sql_base.cc:5853: Field* find_field_in_natural_join(THD*, TABLE_LIST*, const char*, size_t, Item**, bool, TABLE_LIST**): Assertion `nj_col->table_ref->table == nj_col->table_field->field->table' failed.
 
210510 23:57:12 [ERROR] mysqld got signal 6 ;
 
 
 
#7  0x00002b77219ea202 in __GI___assert_fail (assertion=0x5640f9fd3a50 "nj_col->table_ref->table == nj_col->table_field->field->table", file=0x5640f9fd2718 "/home/elenst/src/10.3/sql/sql_base.cc", line=5853, function=0x5640f9fd5320 <find
 
_field_in_natural_join(THD*, TABLE_LIST*, char const*, unsigned long, Item**, bool, TABLE_LIST**)::__PRETTY_FUNCTION__> "Field* find_field_in_natural_join(THD*, TABLE_LIST*, const char*, size_t, Item**, bool, TABLE_LIST**)") at assert.c:
 
101
 
#8  0x00005640f92e1bcb in find_field_in_natural_join (thd=0x2b77a8000af0, table_ref=0x2b77a8012708, name=0x2b77a8014678 "col_tinyint", length=11, ref=0x2b77a8014b70, register_tree_change=true, actual_table=0x2b773be617a0) at /home/elenst
 
/src/10.3/sql/sql_base.cc:5853
 
#9  0x00005640f92e2613 in find_field_in_table_ref (thd=0x2b77a8000af0, table_list=0x2b77a8012708, name=0x2b77a8014678 "col_tinyint", length=11, item_name=0x2b77a8014678 "col_tinyint", db_name=0x0, table_name=0x0, ref=0x2b77a8014b70, chec
 
k_privileges=true, allow_rowid=true, cached_field_index_ptr=0x2b77a801475c, register_tree_change=true, actual_table=0x2b773be617a0) at /home/elenst/src/10.3/sql/sql_base.cc:6089
 
#10 0x00005640f92e30bc in find_field_in_tables (thd=0x2b77a8000af0, item=0x2b77a8014688, first_table=0x2b77a8012708, last_table=0x0, ref=0x2b77a8014b70, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=t
 
rue) at /home/elenst/src/10.3/sql/sql_base.cc:6355
 
#11 0x00005640f96c9cfd in Item_field::fix_fields (this=0x2b77a8014688, thd=0x2b77a8000af0, reference=0x2b77a8014b70) at /home/elenst/src/10.3/sql/item.cc:6087
 
#12 0x00005640f926b916 in Item::fix_fields_if_needed (this=0x2b77a8014688, thd=0x2b77a8000af0, ref=0x2b77a8014b70) at /home/elenst/src/10.3/sql/item.h:829
 
#13 0x00005640f9723d8f in Item_func::fix_fields (this=0x2b77a8014a30, thd=0x2b77a8000af0, ref=0x2b77a8015338) at /home/elenst/src/10.3/sql/item_func.cc:352
 
#14 0x00005640f926b916 in Item::fix_fields_if_needed (this=0x2b77a8014a30, thd=0x2b77a8000af0, ref=0x2b77a8015338) at /home/elenst/src/10.3/sql/item.h:829
 
#15 0x00005640f926b943 in Item::fix_fields_if_needed_for_scalar (this=0x2b77a8014a30, thd=0x2b77a8000af0, ref=0x2b77a8015338) at /home/elenst/src/10.3/sql/item.h:833
 
#16 0x00005640f92ebbb9 in Item::fix_fields_if_needed_for_bool (this=0x2b77a8014a30, thd=0x2b77a8000af0, ref=0x2b77a8015338) at /home/elenst/src/10.3/sql/item.h:837
 
#17 0x00005640f96f1aa8 in Item_cond::fix_fields (this=0x2b77a8015220, thd=0x2b77a8000af0, ref=0x2b77a80590d0) at /home/elenst/src/10.3/sql/item_cmpfunc.cc:4624
 
#18 0x00005640f926b916 in Item::fix_fields_if_needed (this=0x2b77a8015220, thd=0x2b77a8000af0, ref=0x2b77a80590d0) at /home/elenst/src/10.3/sql/item.h:829
 
#19 0x00005640f926b943 in Item::fix_fields_if_needed_for_scalar (this=0x2b77a8015220, thd=0x2b77a8000af0, ref=0x2b77a80590d0) at /home/elenst/src/10.3/sql/item.h:833
 
#20 0x00005640f92ebbb9 in Item::fix_fields_if_needed_for_bool (this=0x2b77a8015220, thd=0x2b77a8000af0, ref=0x2b77a80590d0) at /home/elenst/src/10.3/sql/item.h:837
 
#21 0x00005640f92e85a8 in setup_conds (thd=0x2b77a8000af0, tables=0x2b77a80119d8, leaves=..., conds=0x2b77a80590d0) at /home/elenst/src/10.3/sql/sql_base.cc:8293
 
#22 0x00005640f93b6402 in setup_without_group (thd=0x2b77a8000af0, ref_pointer_array=..., tables=0x2b77a80119d8, leaves=..., fields=..., all_fields=..., conds=0x2b77a80590d0, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_gro
 
up_fields=0x2b77a8058faf, reserved=0x2b77a800541c) at /home/elenst/src/10.3/sql/sql_select.cc:660
 
#23 0x00005640f93b8d4b in JOIN::prepare (this=0x2b77a8058cc8, tables_init=0x2b77a80119d8, wild_num=0, conds_init=0x2b77a8015220, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_
 
lex_arg=0x2b77a8005140, unit_arg=0x2b77a80049b8) at /home/elenst/src/10.3/sql/sql_select.cc:1159
 
#24 0x00005640f93c4528 in mysql_select (thd=0x2b77a8000af0, tables=0x2b77a80119d8, wild_num=0, fields=..., conds=0x2b77a8015220, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=551097991296, result=0x2b77a80585
 
f8, unit=0x2b77a80049b8, select_lex=0x2b77a8005140) at /home/elenst/src/10.3/sql/sql_select.cc:4318
 
#25 0x00005640f947f456 in mysql_multi_update (thd=0x2b77a8000af0, table_list=0x2b77a80119d8, fields=0x2b77a8005268, values=0x2b77a8005798, conds=0x2b77a8015220, options=549755813888, handle_duplicates=DUP_ERROR, ignore=false, unit=0x2b77
 
a80049b8, select_lex=0x2b77a8005140, result=0x2b773be62690) at /home/elenst/src/10.3/sql/sql_update.cc:1822
 
#26 0x00005640f9374ea8 in mysql_execute_command (thd=0x2b77a8000af0) at /home/elenst/src/10.3/sql/sql_parse.cc:4431
 
#27 0x00005640f9380a03 in mysql_parse (thd=0x2b77a8000af0, rawbuf=0x2b77a8011578 "UPDATE /* QNO 47051 CON_ID 24 */ test.table1_myisam_int_autoinc /* table1_int_autoinc t2_temp_myisam_194824 table0_innodb_int */ AS A NATURAL JOIN test.t1_
 
base_myisam_194824 /* table0_int_autoinc v1_n"..., length=451, parser_state=0x2b773be634f0, is_com_multi=false, is_next_command=false) at /home/elenst/src/10.3/sql/sql_parse.cc:7873
 
#28 0x00005640f936d20f in dispatch_command (command=COM_QUERY, thd=0x2b77a8000af0, packet=0x2b77a8008d91 "UPDATE /* QNO 47051 CON_ID 24 */ test.table1_myisam_int_autoinc /* table1_int_autoinc t2_temp_myisam_194824 table0_innodb_int */ AS
 
 A NATURAL JOIN test.t1_base_myisam_194824 /* table0_int_autoinc v1_n"..., packet_length=451, is_com_multi=false, is_next_command=false) at /home/elenst/src/10.3/sql/sql_parse.cc:1853
 
#29 0x00005640f936ba74 in do_command (thd=0x2b77a8000af0) at /home/elenst/src/10.3/sql/sql_parse.cc:1399
 
#30 0x00005640f94ea10f in do_handle_one_connection (connect=0x5640fdcc9040) at /home/elenst/src/10.3/sql/sql_connect.cc:1403
 
#31 0x00005640f94e9e51 in handle_one_connection (arg=0x5640fdcc9040) at /home/elenst/src/10.3/sql/sql_connect.cc:1308
 
#32 0x00002b771fc33e65 in start_thread (arg=0x2b773be64700) at pthread_create.c:307
 
#33 0x00002b7721ab988d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Comment by Alice Sherepa [ 2022-07-05 ]

10.10

 
=================================================================
 
==70935==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a001adc740 at pc 0x557a743ad70b bp 0x7fba7a6b6370 sp 0x7fba7a6b6368
 
READ of size 8 at 0x61a001adc740 thread T39
 
    #0 0x557a743ad70a in Item_field::used_tables() const /10.10/sql/item.cc:3504
 
    #1 0x557a738fb301 in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, List<Item>*, bool) /10.10/sql/sql_base.cc:7980
 
    #2 0x557a73dfe7d7 in setup_fields_with_no_wrap(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>*, bool) /10.10/sql/sql_base.h:383
 
    #3 0x557a73def5e8 in Multiupdate_prelocking_strategy::handle_end(THD*) /10.10/sql/sql_update.cc:1746
 
    #4 0x557a738e7ed7 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.10/sql/sql_base.cc:4687
 
    #5 0x557a73de0b21 in open_tables /10.10/sql/sql_base.h:266
 
    #6 0x557a73df0755 in mysql_multi_update_prepare(THD*) /10.10/sql/sql_update.cc:1887
 
    #7 0x557a73a8d7ea in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4448
 
    #8 0x557a73aa69f4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #9 0x557a73a7d0a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
    #10 0x557a73a79dd6 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
 
    #11 0x557a73f1691e in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418
 
    #12 0x557a73f161a3 in handle_one_connection /10.10/sql/sql_connect.cc:1312
 
    #13 0x557a74bb1158 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201
 
    #14 0x7fbaabb96fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
    #15 0x7fbaab79fefe in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf8efe)
 
 
 
0x61a001adc740 is located 192 bytes inside of 1156-byte region [0x61a001adc680,0x61a001adcb04)
 
freed by thread T39 here:
 
    #0 0x7fbaac0a9fb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x557a757c04b3 in free_memory /10.10/mysys/safemalloc.c:297
 
    #2 0x557a757bf962 in sf_free /10.10/mysys/safemalloc.c:203
 
    #3 0x557a7578eaf6 in my_free /10.10/mysys/my_malloc.c:211
 
    #4 0x557a7576978d in root_free /10.10/mysys/my_alloc.c:78
 
    #5 0x557a7576bfc0 in free_root /10.10/mysys/my_alloc.c:501
 
    #6 0x557a73e3816c in closefrm(TABLE*) /10.10/sql/table.cc:4557
 
    #7 0x557a7417e6be in intern_close_table /10.10/sql/table_cache.cc:225
 
    #8 0x557a7417e8ff in tc_remove_table /10.10/sql/table_cache.cc:263
 
    #9 0x557a7417fcc6 in tc_release_table(TABLE*) /10.10/sql/table_cache.cc:454
 
    #10 0x557a738d3e76 in close_thread_table(THD*, TABLE**) /10.10/sql/sql_base.cc:999
 
    #11 0x557a738d3518 in close_thread_tables(THD*) /10.10/sql/sql_base.cc:942
 
    #12 0x557a738ef16b in close_tables_for_reopen(THD*, TABLE_LIST**, MDL_savepoint const&) /10.10/sql/sql_base.cc:5983
 
    #13 0x557a738e77fd in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.10/sql/sql_base.cc:4597
 
    #14 0x557a73de0b21 in open_tables /10.10/sql/sql_base.h:266
 
    #15 0x557a73df0755 in mysql_multi_update_prepare(THD*) /10.10/sql/sql_update.cc:1887
 
    #16 0x557a73a8d7ea in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4448
 
    #17 0x557a73aa69f4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #18 0x557a73a7d0a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
    #19 0x557a73a79dd6 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
 
    #20 0x557a73f1691e in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418
 
    #21 0x557a73f161a3 in handle_one_connection /10.10/sql/sql_connect.cc:1312
 
    #22 0x557a74bb1158 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201
 
    #23 0x7fbaabb96fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T39 here:
 
    #0 0x7fbaac0aa330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x557a757bf348 in sf_malloc /10.10/mysys/safemalloc.c:126
 
    #2 0x557a7578dd48 in my_malloc /10.10/mysys/my_malloc.c:90
 
    #3 0x557a75769709 in root_alloc /10.10/mysys/my_alloc.c:66
 
    #4 0x557a7576aec8 in alloc_root /10.10/mysys/my_alloc.c:332
 
    #5 0x557a7576c9a1 in memdup_root /10.10/mysys/my_alloc.c:597
 
    #6 0x557a742b46ca in Field::clone(st_mem_root*, TABLE*) /10.10/sql/field.cc:2621
 
    #7 0x557a73e3514e in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /10.10/sql/table.cc:4220
 
    #8 0x557a738d9a96 in open_table(THD*, TABLE_LIST*, Open_table_context*) /10.10/sql/sql_base.cc:2158
 
    #9 0x557a738e4b87 in open_and_process_table /10.10/sql/sql_base.cc:4087
 
    #10 0x557a738e77a4 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /10.10/sql/sql_base.cc:4574
 
    #11 0x557a73de0b21 in open_tables /10.10/sql/sql_base.h:266
 
    #12 0x557a73df0755 in mysql_multi_update_prepare(THD*) /10.10/sql/sql_update.cc:1887
 
    #13 0x557a73a8d7ea in mysql_execute_command(THD*, bool) /10.10/sql/sql_parse.cc:4448
 
    #14 0x557a73aa69f4 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.10/sql/sql_parse.cc:8036
 
    #15 0x557a73a7d0a0 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.10/sql/sql_parse.cc:1894
 
    #16 0x557a73a79dd6 in do_command(THD*, bool) /10.10/sql/sql_parse.cc:1407
 
    #17 0x557a73f1691e in do_handle_one_connection(CONNECT*, bool) /10.10/sql/sql_connect.cc:1418
 
    #18 0x557a73f161a3 in handle_one_connection /10.10/sql/sql_connect.cc:1312
 
    #19 0x557a74bb1158 in pfs_spawn_thread /10.10/storage/perfschema/pfs.cc:2201
 
    #20 0x7fbaabb96fa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T39 created by T0 here:
 
    #0 0x7fbaac011db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x557a74bacc78 in my_thread_create /10.10/storage/perfschema/my_thread.h:52
 
    #2 0x557a74bb1547 in pfs_spawn_thread_v1 /10.10/storage/perfschema/pfs.cc:2252
 
    #3 0x557a736ce576 in inline_mysql_thread_create /10.10/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x557a736e5cb7 in create_thread_to_handle_connection(CONNECT*) /10.10/sql/mysqld.cc:6015
 
    #5 0x557a736e6322 in create_new_thread(CONNECT*) /10.10/sql/mysqld.cc:6074
 
    #6 0x557a736e6694 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.10/sql/mysqld.cc:6136
 
    #7 0x557a736e7093 in handle_connections_sockets() /10.10/sql/mysqld.cc:6260
 
    #8 0x557a736e551e in mysqld_main(int, char**) /10.10/sql/mysqld.cc:5910
 
    #9 0x557a736cd7c4 in main /10.10/sql/main.cc:34
 
    #10 0x7fbaab6cb09a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.10/sql/item.cc:3504 in Item_field::used_tables() const
 
Shadow bytes around the buggy address:
 
  0x0c3480353890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c34803538a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c34803538b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c34803538c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c34803538d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c34803538e0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
 
  0x0c34803538f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3480353900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3480353910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3480353920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c3480353930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==70935==ABORTING
 
SHUTDOWN_1657030324

Generated at Thu Feb 08 08:54:35 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.