[#MDEV-20410] Pure virtual method called in Item_ref::set_properties, SIGSEGV or ASAN heap-use-after-free in create_view

[MDEV-20410] Pure virtual method called in Item_ref::set_properties, SIGSEGV or ASAN heap-use-after-free in create_view_field Created: 2019-08-22 Updated: 2023-07-28 Resolved: 2023-07-28
Status:	Closed
Project:	MariaDB Server
Component/s:	Locking, Stored routines, Views
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s:	N/A

Type:

Bug

Priority:

Major

Reporter:

Elena Stepanova

Assignee:

Oleksandr Byelkin

Resolution:

Cannot Reproduce

Votes:

Labels:

ASAN, memory_not_freed

Issue Links:

Relates
relates to	MDEV-14557	Assertion `m_sp == __null' failed in ...	Stalled
relates to	~~MDEV-19014~~	pure virtual method called, SIGSEGV, ...	Closed
relates to	MDEV-19178	Server crash in create_view_field or ...	Confirmed
relates to	MDEV-21630	Server crashes in mysql_derived_prepa...	Confirmed

Description

Unlike MDEV-14557 or MDEV-19178, this one doesn't have an (obvious) invalidation.

CREATE FUNCTION f (i INT) RETURNS INT RETURN 3;

CREATE TABLE t1 (a INT);

CREATE TABLE t2 (b INT);

CREATE VIEW v AS WITH cte AS ( SELECT * FROM t1 ) SELECT * FROM cte;

CREATE PROCEDURE p () SELECT 1 FROM v WHERE f(a) < 9;

LOCK TABLE t2 WRITE;

--error ER_TABLE_NOT_LOCKED

CALL p();

UNLOCK TABLES;

CALL p();

CALL p();

# Cleanup

DROP PROCEDURE p;

DROP FUNCTION f;

DROP VIEW v;

DROP TABLE t1, t2;

10.4 release c5bc0ced
pure virtual method called
terminate called without an active exception
190823 2:36:53 [ERROR] mysqld got signal 6 ;

#5 0x00007fa82534542a in __GI_abort () at abort.c:89
#6 0x00007fa825c5c0ad in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007fa825c5a066 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007fa825c5a0b1 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007fa825c5ab8f in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x0000561392ee1891 in Item_ref::set_properties (this=this@entry=0x7fa8040d4b10) at /data/src/10.4/sql/item.cc:7928
#11 0x0000561392ee1937 in Item_ref::Item_ref (this=0x7fa8040d4b10, thd=<optimized out>, context_arg=<optimized out>, item=0x7fa804035768, table_name_arg=<optimized out>, field_name_arg=<optimized out>, alias_name_used_arg=false) at /data/src/10.4/sql/item.cc:7567
#12 0x0000561392d7bac9 in Item_direct_ref::Item_direct_ref (alias_name_used_arg=false, field_name_arg=0x7fa804035770, table_name_arg=<optimized out>, item=0x7fa804035768, context_arg=0x7fa804036718, thd=0x7fa8040009a8, this=0x7fa8040d4b10) at /data/src/10.4/sql/item.h:5377
#13 Item_direct_view_ref::Item_direct_view_ref (view_arg=0x7fa8040d7710, field_name_arg=0x7fa804035770, table_name_arg=<optimized out>, item=0x7fa804035768, context_arg=0x7fa804036718, thd=0x7fa8040009a8, this=0x7fa8040d4b10) at /data/src/10.4/sql/item.h:5619
#14 create_view_field (thd=thd@entry=0x7fa8040009a8, view=0x7fa8040d7710, field_ref=0x7fa804035768, name=0x7fa804035770) at /data/src/10.4/sql/table.cc:6405
#15 0x0000561392d7bd17 in Field_iterator_view::create_item (this=this@entry=0x7fa81b4f59a0, thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/table.cc:6363
#16 0x0000561392c73b15 in find_field_in_view (length=1, item_name=<optimized out>, register_tree_change=true, ref=0x7fa8040d81b0, name=0x7fa8040d7de8 "a", table_list=0x7fa8040d7710, thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_base.cc:5779
#17 find_field_in_table_ref (thd=thd@entry=0x7fa8040009a8, table_list=table_list@entry=0x7fa8040d7710, name=name@entry=0x7fa8040d7de8 "a", length=length@entry=1, item_name=<optimized out>, db_name=<optimized out>, db_name@entry=0x0, table_name=0x0, ref=0x7fa8040d81b0, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fa8040d7ec4, register_tree_change=true, actual_table=0x7fa81b4f5ac8) at /data/src/10.4/sql/sql_base.cc:6118
#18 0x0000561392c74323 in find_field_in_tables (thd=thd@entry=0x7fa8040009a8, item=item@entry=0x7fa8040d7df0, first_table=0x7fa8040d7710, last_table=0x0, ref=ref@entry=0x7fa8040d81b0, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6356
#19 0x0000561392ee2c00 in Item_field::fix_fields (this=0x7fa8040d7df0, thd=0x7fa8040009a8, reference=0x7fa8040d81b0) at /data/src/10.4/sql/item.cc:5718
#20 0x0000561392f1bae3 in Item::fix_fields_if_needed (ref=0x7fa8040d81b0, thd=0x7fa8040009a8, this=0x7fa8040d7df0) at /data/src/10.4/sql/item.h:956
#21 Item_func::fix_fields (this=0x7fa8040d8120, thd=0x7fa8040009a8, ref=<optimized out>) at /data/src/10.4/sql/item_func.cc:351
#22 0x0000561392f26752 in Item_func_sp::fix_fields (this=0x7fa8040d8120, thd=0x7fa8040009a8, ref=0x7fa8040da4d8) at /data/src/10.4/sql/item_func.cc:6397
#23 0x0000561392f1bae3 in Item::fix_fields_if_needed (ref=0x7fa8040da4d8, thd=0x7fa8040009a8, this=0x7fa8040d8120) at /data/src/10.4/sql/item.h:956
#24 Item_func::fix_fields (this=0x7fa8040da448, thd=0x7fa8040009a8, ref=<optimized out>) at /data/src/10.4/sql/item_func.cc:351
#25 0x0000561392c7696f in Item::fix_fields_if_needed (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:956
#26 Item::fix_fields_if_needed_for_scalar (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:960
#27 Item::fix_fields_if_needed_for_bool (ref=0x7fa8040d48b8, thd=0x7fa8040009a8, this=0x7fa8040da448) at /data/src/10.4/sql/item.h:964
#28 setup_conds (thd=thd@entry=0x7fa8040009a8, tables=tables@entry=0x7fa8040d7710, leaves=..., conds=conds@entry=0x7fa8040d48b8) at /data/src/10.4/sql/sql_base.cc:8372
#29 0x0000561392d12b23 in setup_without_group (reserved=0x7fa8040d74c4, hidden_group_fields=0x7fa8040d4797, win_funcs=..., win_specs=..., group=0x0, order=0x0, conds=0x7fa8040d48b8, all_fields=..., fields=..., leaves=..., tables=0x7fa8040d7710, ref_pointer_array=..., thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_select.cc:689
#30 JOIN::prepare (this=this@entry=0x7fa8040d44b0, tables_init=tables_init@entry=0x7fa8040d7710, wild_num=wild_num@entry=0, conds_init=conds_init@entry=0x7fa8040da448, og_num=og_num@entry=0, order_init=order_init@entry=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fa8040d71c0, unit_arg=0x7fa8040d89f8) at /data/src/10.4/sql/sql_select.cc:1231
#31 0x0000561392d21df2 in mysql_select (thd=thd@entry=0x7fa8040009a8, tables=0x7fa8040d7710, wild_num=0, fields=..., conds=0x7fa8040da448, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147749632, result=0x7fa8040d4488, unit=0x7fa8040d89f8, select_lex=0x7fa8040d71c0) at /data/src/10.4/sql/sql_select.cc:4596
#32 0x0000561392d21f4e in handle_select (thd=thd@entry=0x7fa8040009a8, lex=lex@entry=0x7fa8040d8930, result=result@entry=0x7fa8040d4488, setup_tables_done_option=setup_tables_done_option@entry=0) at /data/src/10.4/sql/sql_select.cc:425
#33 0x0000561392be4bb2 in execute_sqlcom_select (thd=thd@entry=0x7fa8040009a8, all_tables=0x7fa8040d7710) at /data/src/10.4/sql/sql_parse.cc:6356
#34 0x0000561392ccbc70 in mysql_execute_command (thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3898
#35 0x0000561392c3ec33 in sp_instr_stmt::exec_core (this=0x7fa8040d8360, thd=0x7fa8040009a8, nextp=0x7fa81b4f9cc4) at /data/src/10.4/sql/sp_head.cc:3607
#36 0x0000561392c451c8 in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7fa8040d83a8, thd=thd@entry=0x7fa8040009a8, nextp=nextp@entry=0x7fa81b4f9cc4, open_tables=open_tables@entry=false, instr=instr@entry=0x7fa8040d8360) at /data/src/10.4/sql/sp_head.cc:3335
#37 0x0000561392c45be4 in sp_instr_stmt::execute (this=0x7fa8040d8360, thd=0x7fa8040009a8, nextp=0x7fa81b4f9cc4) at /data/src/10.4/sql/sp_head.cc:3513
#38 0x0000561392c413e2 in sp_head::execute (this=this@entry=0x7fa8040d6540, thd=thd@entry=0x7fa8040009a8, merge_da_on_success=merge_da_on_success@entry=true) at /data/src/10.4/sql/sp_head.cc:1346
#39 0x0000561392c4258c in sp_head::execute_procedure (this=0x7fa8040d6540, thd=thd@entry=0x7fa8040009a8, args=0x7fa8040055d0) at /data/src/10.4/sql/sp_head.cc:2288
#40 0x0000561392cc357f in do_execute_sp (thd=0x7fa8040009a8, sp=<optimized out>) at /data/src/10.4/sql/sql_parse.cc:3019
#41 0x0000561392cc4956 in Sql_cmd_call::execute (this=this@entry=0x7fa80400fdf0, thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3261
#42 0x0000561392cc51fa in Sql_cmd_call::execute (this=0x7fa80400fdf0, thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:3215
#43 0x0000561392ccbcd0 in mysql_execute_command (thd=thd@entry=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:6098
#44 0x0000561392cd2e79 in mysql_parse (thd=thd@entry=0x7fa8040009a8, rawbuf=<optimized out>, length=8, parser_state=parser_state@entry=0x7fa81b4fd1b0, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:7908
#45 0x0000561392cd5208 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7fa8040009a8, packet=packet@entry=0x7fa804007999 "CALL p()", packet_length=packet_length@entry=8, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.4/sql/sql_parse.cc:1843
#46 0x0000561392cd6959 in do_command (thd=0x7fa8040009a8) at /data/src/10.4/sql/sql_parse.cc:1360
#47 0x0000561392da523e in do_handle_one_connection (connect=connect@entry=0x5613958fbe98) at /data/src/10.4/sql/sql_connect.cc:1404
#48 0x0000561392da5354 in handle_one_connection (arg=arg@entry=0x5613958fbe98) at /data/src/10.4/sql/sql_connect.cc:1306
#49 0x000056139334e3f4 in pfs_spawn_thread (arg=0x5613958926b8) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#50 0x00007fa826eb14a4 in start_thread (arg=0x7fa81b4fe700) at pthread_create.c:456
#51 0x00007fa8253f9d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 debug c5bc0ced
#3 <signal handler called>
#4 0x00005618aef14269 in create_view_field (thd=0x7fc664000b00, view=0x7fc664145748, field_ref=0x7fc6640523b0, name=0x7fc6640523b8) at /data/src/10.4/sql/table.cc:6386
#5 0x00005618aef14117 in Field_iterator_view::create_item (this=0x7fc6742b7030, thd=0x7fc664000b00) at /data/src/10.4/sql/table.cc:6363
#6 0x00005618aed53b47 in find_field_in_view (thd=0x7fc664000b00, table_list=0x7fc664145748, name=0x7fc664145e20 "a", length=1, item_name=0x7fc664145e20 "a", ref=0x7fc6641461e8, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:5779
#7 0x00005618aed549bc in find_field_in_table_ref (thd=0x7fc664000b00, table_list=0x7fc664145748, name=0x7fc664145e20 "a", length=1, item_name=0x7fc664145e20 "a", db_name=0x0, table_name=0x0, ref=0x7fc6641461e8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fc664145efc, register_tree_change=true, actual_table=0x7fc6742b7220) at /data/src/10.4/sql/sql_base.cc:6118
#8 0x00005618aed552d6 in find_field_in_tables (thd=0x7fc664000b00, item=0x7fc664145e28, first_table=0x7fc664145748, last_table=0x0, ref=0x7fc6641461e8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6356
#9 0x00005618af15143a in Item_field::fix_fields (this=0x7fc664145e28, thd=0x7fc664000b00, reference=0x7fc6641461e8) at /data/src/10.4/sql/item.cc:5718
#10 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664145e28, thd=0x7fc664000b00, ref=0x7fc6641461e8) at /data/src/10.4/sql/item.h:956
#11 0x00005618af1a8e80 in Item_func::fix_fields (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item_func.cc:351
#12 0x00005618af1be3c3 in Item_func_sp::fix_fields (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item_func.cc:6397
#13 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664146158, thd=0x7fc664000b00, ref=0x7fc664042c30) at /data/src/10.4/sql/item.h:956
#14 0x00005618af1a8e80 in Item_func::fix_fields (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item_func.cc:351
#15 0x00005618aecdf057 in Item::fix_fields_if_needed (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:956
#16 0x00005618aecdf085 in Item::fix_fields_if_needed_for_scalar (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:960
#17 0x00005618aed5debf in Item::fix_fields_if_needed_for_bool (this=0x7fc664042ba0, thd=0x7fc664000b00, ref=0x7fc66404c0c0) at /data/src/10.4/sql/item.h:964
#18 0x00005618aed5a707 in setup_conds (thd=0x7fc664000b00, tables=0x7fc664145748, leaves=..., conds=0x7fc66404c0c0) at /data/src/10.4/sql/sql_base.cc:8372
#19 0x00005618aee2b8df in setup_without_group (thd=0x7fc664000b00, ref_pointer_array=..., tables=0x7fc664145748, leaves=..., fields=..., all_fields=..., conds=0x7fc66404c0c0, order=0x0, group=0x0, win_specs=..., win_funcs=..., hidden_group_fields=0x7fc66404bf9f, reserved=0x7fc6641454fc) at /data/src/10.4/sql/sql_select.cc:689
#20 0x00005618aee2e507 in JOIN::prepare (this=0x7fc66404bcb8, tables_init=0x7fc664145748, wild_num=0, conds_init=0x7fc664042ba0, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fc6641451f8, unit_arg=0x7fc664041150) at /data/src/10.4/sql/sql_select.cc:1231
#21 0x00005618aee3a9a5 in mysql_select (thd=0x7fc664000b00, tables=0x7fc664145748, wild_num=0, fields=..., conds=0x7fc664042ba0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147749632, result=0x7fc66404bc90, unit=0x7fc664041150, select_lex=0x7fc6641451f8) at /data/src/10.4/sql/sql_select.cc:4596
#22 0x00005618aee2af2a in handle_select (thd=0x7fc664000b00, lex=0x7fc664041088, result=0x7fc66404bc90, setup_tables_done_option=0) at /data/src/10.4/sql/sql_select.cc:425
#23 0x00005618aedf4549 in execute_sqlcom_select (thd=0x7fc664000b00, all_tables=0x7fc664145748) at /data/src/10.4/sql/sql_parse.cc:6356
#24 0x00005618aedea390 in mysql_execute_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:3898
#25 0x00005618aed053d5 in sp_instr_stmt::exec_core (this=0x7fc664146398, thd=0x7fc664000b00, nextp=0x7fc6742b96b4) at /data/src/10.4/sql/sp_head.cc:3607
#26 0x00005618aed04732 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fc6641463e0, thd=0x7fc664000b00, nextp=0x7fc6742b96b4, open_tables=false, instr=0x7fc664146398) at /data/src/10.4/sql/sp_head.cc:3335
#27 0x00005618aed04f7a in sp_instr_stmt::execute (this=0x7fc664146398, thd=0x7fc664000b00, nextp=0x7fc6742b96b4) at /data/src/10.4/sql/sp_head.cc:3513
#28 0x00005618aecfeb9a in sp_head::execute (this=0x7fc664144578, thd=0x7fc664000b00, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1346
#29 0x00005618aed01511 in sp_head::execute_procedure (this=0x7fc664144578, thd=0x7fc664000b00, args=0x7fc6640058e8) at /data/src/10.4/sql/sp_head.cc:2288
#30 0x00005618aede798b in do_execute_sp (thd=0x7fc664000b00, sp=0x7fc664144578) at /data/src/10.4/sql/sql_parse.cc:3019
#31 0x00005618aede857e in Sql_cmd_call::execute (this=0x7fc6640131d8, thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:3261
#32 0x00005618aedf306d in mysql_execute_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:6098
#33 0x00005618aedf82dd in mysql_parse (thd=0x7fc664000b00, rawbuf=0x7fc664013128 "CALL p()", length=8, parser_state=0x7fc6742bb170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7908
#34 0x00005618aede4586 in dispatch_command (command=COM_QUERY, thd=0x7fc664000b00, packet=0x7fc664008331 "CALL p()", packet_length=8, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1843
#35 0x00005618aede2ccc in do_command (thd=0x7fc664000b00) at /data/src/10.4/sql/sql_parse.cc:1360
#36 0x00005618aef5ce00 in do_handle_one_connection (connect=0x5618b2d38040) at /data/src/10.4/sql/sql_connect.cc:1404
#37 0x00005618aef5cb4f in handle_one_connection (arg=0x5618b2d38040) at /data/src/10.4/sql/sql_connect.cc:1306
#38 0x00005618af888f65 in pfs_spawn_thread (arg=0x5618b2d6d430) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#39 0x00007fc67bc5e4a4 in start_thread (arg=0x7fc6742bc700) at pthread_create.c:456
#40 0x00007fc67a1a6d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 ASAN c5bc0ced
==18836==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000117218 at pc 0x55650977f22e bp 0x7fd5632b8e90 sp 0x7fd5632b8e88
READ of size 8 at 0x625000117218 thread T5
#0 0x55650977f22d in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string) /data/src/10.4/sql/table.cc:6386
#1 0x55650977ee3b in Field_iterator_view::create_item(THD*) /data/src/10.4/sql/table.cc:6363
#2 0x556509366c44 in find_field_in_view /data/src/10.4/sql/sql_base.cc:5779
#3 0x556509368f59 in find_field_in_table_ref(THD, TABLE_LIST, char const, unsigned long, char const, char const, char const, Item*, bool, bool, unsigned int, bool, TABLE_LIST**) /data/src/10.4/sql/sql_base.cc:6118
#4 0x55650936a238 in find_field_in_tables(THD, Item_ident, TABLE_LIST, TABLE_LIST, Item**, find_item_error_report_type, bool, bool) /data/src/10.4/sql/sql_base.cc:6356
#5 0x556509c61fc5 in Item_field::fix_fields(THD, Item*) /data/src/10.4/sql/item.cc:5718
#6 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#7 0x556509d229e4 in Item_func::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:351
#8 0x556509d5f4a6 in Item_func_sp::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:6397
#9 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#10 0x556509d229e4 in Item_func::fix_fields(THD, Item*) /data/src/10.4/sql/item_func.cc:351
#11 0x556509272840 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#12 0x55650927286e in Item::fix_fields_if_needed_for_scalar(THD, Item*) /data/src/10.4/sql/item.h:960
#13 0x55650937dcf4 in Item::fix_fields_if_needed_for_bool(THD, Item*) /data/src/10.4/sql/item.h:964
#14 0x556509375c47 in setup_conds(THD, TABLE_LIST, List<TABLE_LIST>&, Item**) /data/src/10.4/sql/sql_base.cc:8372
#15 0x55650954a040 in setup_without_group /data/src/10.4/sql/sql_select.cc:689
#16 0x556509550744 in JOIN::prepare(TABLE_LIST, unsigned int, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/src/10.4/sql/sql_select.cc:1231
#17 0x5565095719c0 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.4/sql/sql_select.cc:4596
#18 0x556509548490 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:425
#19 0x5565094ce0b5 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6356
#20 0x5565094bc5ea in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3898
#21 0x5565092bcf91 in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3607
#22 0x5565092bb776 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3335
#23 0x5565092bc6d9 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3513
#24 0x5565092af958 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#25 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#26 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#27 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#28 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#29 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#30 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#31 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#32 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#33 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#34 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#35 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#36 0x7fd56c00ad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x625000117218 is located 6424 bytes inside of 8268-byte region [0x625000115900,0x62500011794c)
freed by thread T5 here:
#0 0x7fd56dd99a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x55650acccc00 in free_memory /data/src/10.4/mysys/safemalloc.c:279
#2 0x55650accc2e9 in sf_free /data/src/10.4/mysys/safemalloc.c:197
#3 0x55650ac9e8b5 in my_free /data/src/10.4/mysys/my_malloc.c:222
#4 0x55650ac7f7fa in free_root /data/src/10.4/mysys/my_alloc.c:429
#5 0x5565092afae6 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1365
#6 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#7 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#8 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#9 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#10 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#11 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#12 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#13 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#14 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#15 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#16 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

previously allocated by thread T5 here:
#0 0x7fd56dd99d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55650accbd01 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x55650ac9e014 in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x55650ac7e985 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
#4 0x5565094e5371 in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /data/src/10.4/sql/sql_class.h:1065
#5 0x5565094b54fd in alloc_query(THD, char const, unsigned long) /data/src/10.4/sql/sql_parse.cc:2754
#6 0x5565092bc5b6 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3500
#7 0x5565092af958 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#8 0x5565092b4b5e in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2288
#9 0x5565094b6bad in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3019
#10 0x5565094b84ee in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3261
#11 0x5565094cbde4 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6098
#12 0x5565094d6269 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7908
#13 0x5565094b079d in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1843
#14 0x5565094ad6ab in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
#15 0x55650982298e in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1404
#16 0x556509822342 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1306
#17 0x55650aba2a7d in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#18 0x7fd56dac24a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

Thread T5 created by T0 here:
#0 0x7fd56dd08f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x55650aba2e6a in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
#2 0x556509214d88 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
#3 0x556509228eba in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6238
#4 0x55650922959d in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6308
#5 0x556509229928 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6406
#6 0x55650922a57a in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6564
#7 0x55650922873b in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5896
#8 0x556509212c6f in main /data/src/10.4/sql/main.cc:25
#9 0x7fd56bf422e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/table.cc:6386 in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string)
Shadow bytes around the buggy address:
0x0c4a8001adf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001ae40: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001ae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18836==ABORTING

Comments

Comment by Elena Stepanova [ 2019-10-27 ]

The test case is very similar, but the stack trace is different (probably due to UPDATE instead of SELECT in the procedure). Please make sure it's fixed too, or extract it into a separate report if necessary.

CREATE TABLE t1 (a INT, b INT);

CREATE TABLE t2 (c INT);

CREATE ALGORITHM=MERGE VIEW v1 AS SELECT * FROM t1;

CREATE ALGORITHM=MERGE VIEW v2 AS SELECT a, b FROM v1 JOIN t2;

CREATE PROCEDURE pr() UPDATE v2 SET b = NULL ORDER BY a LIMIT 1;

LOCK TABLES t1 READ;

--error ER_TABLE_NOT_LOCKED

CALL pr;

UNLOCK TABLES;

CALL pr;

CALL pr;

# Cleanup

DROP PROCEDURE pr;

DROP VIEW v2;

DROP VIEW v1;

DROP TABLE t1, t2;

10.4 9afbb106
#3 <signal handler called>
#4 0x0000560ca3478152 in create_view_field (thd=0x7fbea8000b00, view=0x7fbea8041de0, field_ref=0x7fbea804f480, name=0x7fbea804f488) at /data/src/10.4/sql/table.cc:6421
#5 0x0000560ca3477f9d in Field_iterator_view::create_item (this=0x7fbeb9d86070, thd=0x7fbea8000b00) at /data/src/10.4/sql/table.cc:6398
#6 0x0000560ca32a7e1b in find_field_in_view (thd=0x7fbea8000b00, table_list=0x7fbea8041de0, name=0x7fbea80424a8 "b", length=1, item_name=0x7fbea80424a8 "b", ref=0x7fbea8042650, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:5760
#7 0x0000560ca32a8e8b in find_field_in_table_ref (thd=0x7fbea8000b00, table_list=0x7fbea8041de0, name=0x7fbea80424a8 "b", length=1, item_name=0x7fbea80424a8 "b", db_name=0x0, table_name=0x0, ref=0x7fbea8042650, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fbea8042584, register_tree_change=true, actual_table=0x7fbeb9d86260) at /data/src/10.4/sql/sql_base.cc:6099
#8 0x0000560ca32a9815 in find_field_in_tables (thd=0x7fbea8000b00, item=0x7fbea80424b0, first_table=0x7fbea8041de0, last_table=0x0, ref=0x7fbea8042650, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.4/sql/sql_base.cc:6337
#9 0x0000560ca36cde12 in Item_field::fix_fields (this=0x7fbea80424b0, thd=0x7fbea8000b00, reference=0x7fbea8042650) at /data/src/10.4/sql/item.cc:5732
#10 0x0000560ca322e685 in Item::fix_fields_if_needed (this=0x7fbea80424b0, thd=0x7fbea8000b00, ref=0x7fbea8042650) at /data/src/10.4/sql/item.h:956
#11 0x0000560ca322e6b3 in Item::fix_fields_if_needed_for_scalar (this=0x7fbea80424b0, thd=0x7fbea8000b00, ref=0x7fbea8042650) at /data/src/10.4/sql/item.h:960
#12 0x0000560ca32acc00 in setup_fields (thd=0x7fbea8000b00, ref_pointer_array=..., fields=..., column_usage=MARK_COLUMNS_WRITE, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.4/sql/sql_base.cc:7614
#13 0x0000560ca345b236 in setup_fields_with_no_wrap (thd=0x7fbea8000b00, ref_pointer_array=..., item=..., column_usage=MARK_COLUMNS_WRITE, sum_func_list=0x0, allow_sum_func=false) at /data/src/10.4/sql/sql_base.h:377
#14 0x0000560ca345620d in Multiupdate_prelocking_strategy::handle_end (this=0x7fbeb9d86a20, thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_update.cc:1685
#15 0x0000560ca32a4c5d in open_tables (thd=0x7fbea8000b00, options=..., start=0x7fbeb9d869f8, counter=0x7fbeb9d869f4, flags=0, prelocking_strategy=0x7fbeb9d86a20) at /data/src/10.4/sql/sql_base.cc:4432
#16 0x0000560ca3450f44 in open_tables (thd=0x7fbea8000b00, tables=0x7fbeb9d869f8, counter=0x7fbeb9d869f4, flags=0, prelocking_strategy=0x7fbeb9d86a20) at /data/src/10.4/sql/sql_base.h:258
#17 0x0000560ca345688a in mysql_multi_update_prepare (thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_update.cc:1822
#18 0x0000560ca3345d2b in mysql_execute_command (thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_parse.cc:4403
#19 0x0000560ca3256450 in sp_instr_stmt::exec_core (this=0x7fbea8042890, thd=0x7fbea8000b00, nextp=0x7fbeb9d876b4) at /data/src/10.4/sql/sp_head.cc:3670
#20 0x0000560ca32557a9 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fbea80428d8, thd=0x7fbea8000b00, nextp=0x7fbeb9d876b4, open_tables=false, instr=0x7fbea8042890) at /data/src/10.4/sql/sp_head.cc:3398
#21 0x0000560ca3256014 in sp_instr_stmt::execute (this=0x7fbea8042890, thd=0x7fbea8000b00, nextp=0x7fbeb9d876b4) at /data/src/10.4/sql/sp_head.cc:3576
#22 0x0000560ca324f6b9 in sp_head::execute (this=0x7fbea80410c8, thd=0x7fbea8000b00, merge_da_on_success=true) at /data/src/10.4/sql/sp_head.cc:1346
#23 0x0000560ca32524ed in sp_head::execute_procedure (this=0x7fbea80410c8, thd=0x7fbea8000b00, args=0x7fbea80058e8) at /data/src/10.4/sql/sp_head.cc:2351
#24 0x0000560ca3341415 in do_execute_sp (thd=0x7fbea8000b00, sp=0x7fbea80410c8) at /data/src/10.4/sql/sql_parse.cc:3014
#25 0x0000560ca33420fc in Sql_cmd_call::execute (this=0x7fbea80131f0, thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_parse.cc:3256
#26 0x0000560ca334d3f1 in mysql_execute_command (thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_parse.cc:6094
#27 0x0000560ca3352ac5 in mysql_parse (thd=0x7fbea8000b00, rawbuf=0x7fbea8013148 "CALL pr", length=7, parser_state=0x7fbeb9d89170, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:7912
#28 0x0000560ca333dd58 in dispatch_command (command=COM_QUERY, thd=0x7fbea8000b00, packet=0x7fbea8008351 "CALL pr", packet_length=7, is_com_multi=false, is_next_command=false) at /data/src/10.4/sql/sql_parse.cc:1841
#29 0x0000560ca333c3e5 in do_command (thd=0x7fbea8000b00) at /data/src/10.4/sql/sql_parse.cc:1359
#30 0x0000560ca34c3e17 in do_handle_one_connection (connect=0x560ca741be60) at /data/src/10.4/sql/sql_connect.cc:1412
#31 0x0000560ca34c3b66 in handle_one_connection (arg=0x560ca741be60) at /data/src/10.4/sql/sql_connect.cc:1316
#32 0x0000560ca3ec6aa5 in pfs_spawn_thread (arg=0x560ca73406c0) at /data/src/10.4/storage/perfschema/pfs.cc:1862
#33 0x00007fbec172d4a4 in start_thread (arg=0x7fbeb9d8a700) at pthread_create.c:456
#34 0x00007fbebfc74d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.4 9afbb106 ASAN
==26840==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000114350 at pc 0x559d066983e5 bp 0x7f39fdbbd000 sp 0x7f39fdbbcff8
READ of size 8 at 0x625000114350 thread T5
#0 0x559d066983e4 in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string) /data/src/10.4/sql/table.cc:6421
#1 0x559d06697f8f in Field_iterator_view::create_item(THD*) /data/src/10.4/sql/table.cc:6398
#2 0x559d0626fa18 in find_field_in_view /data/src/10.4/sql/sql_base.cc:5760
#3 0x559d06271f28 in find_field_in_table_ref(THD, TABLE_LIST, char const, unsigned long, char const, char const, char const, Item*, bool, bool, unsigned int, bool, TABLE_LIST**) /data/src/10.4/sql/sql_base.cc:6099
#4 0x559d06273277 in find_field_in_tables(THD, Item_ident, TABLE_LIST, TABLE_LIST, Item**, find_item_error_report_type, bool, bool) /data/src/10.4/sql/sql_base.cc:6337
#5 0x559d06b976e1 in Item_field::fix_fields(THD, Item*) /data/src/10.4/sql/item.cc:5732
#6 0x559d06176b72 in Item::fix_fields_if_needed(THD, Item*) /data/src/10.4/sql/item.h:956
#7 0x559d06176ba0 in Item::fix_fields_if_needed_for_scalar(THD, Item*) (/data/bld/10.4-asan/bin/mysqld+0xfe4ba0)
#8 0x559d0627a023 in setup_fields(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool) /data/src/10.4/sql/sql_base.cc:7614
#9 0x559d066546ba in setup_fields_with_no_wrap(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>*, bool) /data/src/10.4/sql/sql_base.h:377
#10 0x559d066477f6 in Multiupdate_prelocking_strategy::handle_end(THD*) /data/src/10.4/sql/sql_update.cc:1685
#11 0x559d062684b8 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.4/sql/sql_base.cc:4432
#12 0x559d0663ca65 in open_tables /data/src/10.4/sql/sql_base.h:258
#13 0x559d066484fb in mysql_multi_update_prepare(THD*) /data/src/10.4/sql/sql_update.cc:1822
#14 0x559d063cd65d in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4403
#15 0x559d061c2f5b in sp_instr_stmt::exec_core(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3670
#16 0x559d061c17a1 in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /data/src/10.4/sql/sp_head.cc:3398
#17 0x559d061c2727 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3576
#18 0x559d061b51ab in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#19 0x559d061baaee in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2351
#20 0x559d063c4bcc in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3014
#21 0x559d063c65fe in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3256
#22 0x559d063da6ee in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6094
#23 0x559d063e4f95 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
#24 0x559d063be5e2 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
#25 0x559d063bb4d6 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
#26 0x559d0673f57c in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#27 0x559d0673ef30 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#28 0x559d07b9cd85 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#29 0x7f3a083c74a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
#30 0x7f3a0690ed0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)

0x625000114350 is located 4688 bytes inside of 8268-byte region [0x625000113100,0x62500011514c)
freed by thread T5 here:
#0 0x7f3a0869ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x559d07cce8c5 in free_memory /data/src/10.4/mysys/safemalloc.c:279
#2 0x559d07ccdfae in sf_free /data/src/10.4/mysys/safemalloc.c:197
#3 0x559d07ca00eb in my_free /data/src/10.4/mysys/my_malloc.c:222
#4 0x559d07c80802 in free_root /data/src/10.4/mysys/my_alloc.c:420
#5 0x559d061b5975 in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1428
#6 0x559d061baaee in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2351
#7 0x559d063c4bcc in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3014
#8 0x559d063c65fe in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3256
#9 0x559d063da6ee in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6094
#10 0x559d063e4f95 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
#11 0x559d063be5e2 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
#12 0x559d063bb4d6 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
#13 0x559d0673f57c in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#14 0x559d0673ef30 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#15 0x559d07b9cd85 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#16 0x7f3a083c74a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

previously allocated by thread T5 here:
#0 0x7f3a0869ed28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x559d07ccd9c6 in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
#2 0x559d07c9f7fa in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#3 0x559d07c7fa98 in alloc_root /data/src/10.4/mysys/my_alloc.c:250
#4 0x559d063f454d in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /data/src/10.4/sql/sql_class.h:1065
#5 0x559d063c34e4 in alloc_query(THD, char const, unsigned long) /data/src/10.4/sql/sql_parse.cc:2749
#6 0x559d061c2604 in sp_instr_stmt::execute(THD, unsigned int) /data/src/10.4/sql/sp_head.cc:3563
#7 0x559d061b51ab in sp_head::execute(THD*, bool) /data/src/10.4/sql/sp_head.cc:1346
#8 0x559d061baaee in sp_head::execute_procedure(THD, List<Item>) /data/src/10.4/sql/sp_head.cc:2351
#9 0x559d063c4bcc in do_execute_sp /data/src/10.4/sql/sql_parse.cc:3014
#10 0x559d063c65fe in Sql_cmd_call::execute(THD*) /data/src/10.4/sql/sql_parse.cc:3256
#11 0x559d063da6ee in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:6094
#12 0x559d063e4f95 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7912
#13 0x559d063be5e2 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1841
#14 0x559d063bb4d6 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1359
#15 0x559d0673f57c in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
#16 0x559d0673ef30 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
#17 0x559d07b9cd85 in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1862
#18 0x7f3a083c74a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)

Thread T5 created by T0 here:
#0 0x7f3a0860df59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
#1 0x559d07b9d172 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1912
#2 0x559d06116fc8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1268
#3 0x559d0612b57d in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6233
#4 0x559d0612bc60 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6303
#5 0x559d0612bfeb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6401
#6 0x559d0612cc3d in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6559
#7 0x559d0612adfe in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5891
#8 0x559d06114eaf in main /data/src/10.4/sql/main.cc:25
#9 0x7f3a068462e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.4/sql/table.cc:6421 in create_view_field(THD, TABLE_LIST, Item*, st_mysql_const_lex_string)
Shadow bytes around the buggy address:
0x0c4a8001a810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a840: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a8001a860: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c4a8001a870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a8a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a8001a8b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26840==ABORTING

Comment by Elena Stepanova [ 2020-02-18 ]

Yet another variation of the stack trace with a similar test case:

CREATE TABLE t (a INT, b INT);

CREATE ALGORITHM=MERGE VIEW v AS SELECT * FROM ( SELECT t2.* FROM t AS t1, t AS t2 ) AS sq;

CREATE PROCEDURE pr() UPDATE v SET b = 0;

LOCK TABLES t WRITE;

--error ER_TABLE_NOT_LOCKED

CALL pr;

UNLOCK TABLES;

--error ER_NON_UPDATABLE_TABLE

CALL pr;

CALL pr;

# Cleanup

DROP PROCEDURE pr;

DROP VIEW v;

DROP TABLE t;

10.2 non-debug 93dc3e26
pure virtual method called
terminate called without an active exception
200218 14:21:07 [ERROR] mysqld got signal 6 ;

#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x00007f0af7bc742a in __GI_abort () at abort.c:89
#6 0x00007f0af84de0ad in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007f0af84dc066 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007f0af84dc0b1 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007f0af84dcb8f in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x00005601dc8e67d6 in find_field_in_table_ref (thd=thd@entry=0x7f0ae00009a8, table_list=table_list@entry=0x7f0ae006b438, name=name@entry=0x7f0ae006ba60 "b", length=length@entry=1, item_name=<optimized out>, db_name=db_name@entry=0x0, table_name=0x0, ref=0x7f0ae006bc10, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7f0ae006bb34, register_tree_change=true, actual_table=0x7f0af1eecd68) at /data/src/10.2/sql/sql_base.cc:5749
#11 0x00005601dc8e6c60 in find_field_in_tables (thd=thd@entry=0x7f0ae00009a8, item=item@entry=0x7f0ae006ba70, first_table=<optimized out>, last_table=0x0, ref=ref@entry=0x7f0ae006bc10, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5987
#12 0x00005601dcacf2eb in Item_field::fix_fields (this=0x7f0ae006ba70, thd=0x7f0ae00009a8, reference=0x7f0ae006bc10) at /data/src/10.2/sql/item.cc:5474
#13 0x00005601dc8e7711 in setup_fields (thd=thd@entry=0x7f0ae00009a8, ref_pointer_array=..., fields=..., mark_used_columns=mark_used_columns@entry=MARK_COLUMNS_WRITE, sum_func_list=sum_func_list@entry=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.2/sql/sql_base.cc:7186
#14 0x00005601dc9b8f7f in setup_fields_with_no_wrap (allow_sum_func=false, sum_func_list=0x0, mark_used_columns=MARK_COLUMNS_WRITE, item=..., ref_pointer_array=..., thd=0x7f0ae00009a8) at /data/src/10.2/sql/sql_base.h:381
#15 Multiupdate_prelocking_strategy::handle_end (this=0x7f0af1eed1d0, thd=0x7f0ae00009a8) at /data/src/10.2/sql/sql_update.cc:1401
#16 0x00005601dc9bcace in mysql_multi_update_prepare (thd=thd@entry=0x7f0ae00009a8) at /data/src/10.2/sql/sql_update.cc:1549
#17 0x00005601dc9266a6 in mysql_execute_command (thd=0x7f0ae00009a8) at /data/src/10.2/sql/sql_parse.cc:4043
#18 0x00005601dc8ba4f4 in sp_instr_stmt::exec_core (this=0x7f0ae006bc28, thd=<optimized out>, nextp=0x7f0af1eee8b4) at /data/src/10.2/sql/sp_head.cc:3239
#19 0x00005601dc8c0387 in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7f0ae006bc68, thd=thd@entry=0x7f0ae00009a8, nextp=nextp@entry=0x7f0af1eee8b4, open_tables=open_tables@entry=false, instr=instr@entry=0x7f0ae006bc28) at /data/src/10.2/sql/sp_head.cc:3002
#20 0x00005601dc8c099c in sp_instr_stmt::execute (this=0x7f0ae006bc28, thd=0x7f0ae00009a8, nextp=0x7f0af1eee8b4) at /data/src/10.2/sql/sp_head.cc:3155
#21 0x00005601dc8bd1bb in sp_head::execute (this=this@entry=0x7f0ae006a860, thd=thd@entry=0x7f0ae00009a8, merge_da_on_success=merge_da_on_success@entry=true) at /data/src/10.2/sql/sp_head.cc:1320
#22 0x00005601dc8be7c8 in sp_head::execute_procedure (this=0x7f0ae006a860, thd=thd@entry=0x7f0ae00009a8, args=0x7f0ae0005120) at /data/src/10.2/sql/sp_head.cc:2109
#23 0x00005601dc91e470 in do_execute_sp (thd=0x7f0ae00009a8, sp=<optimized out>) at /data/src/10.2/sql/sql_parse.cc:2953
#24 0x00005601dc926d22 in mysql_execute_command (thd=thd@entry=0x7f0ae00009a8) at /data/src/10.2/sql/sql_parse.cc:5581
#25 0x00005601dc92d75d in mysql_parse (thd=0x7f0ae00009a8, rawbuf=<optimized out>, length=7, parser_state=0x7f0af1ef0240, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_parse.cc:7739
#26 0x00005601dc9305cb in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f0ae00009a8, packet=packet@entry=0x7f0ae0006cf9 "CALL pr", packet_length=packet_length@entry=7, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:1831
#27 0x00005601dc930ec7 in do_command (thd=0x7f0ae00009a8) at /data/src/10.2/sql/sql_parse.cc:1384
#28 0x00005601dc9f0d14 in do_handle_one_connection (connect=connect@entry=0x5601e017a3d8) at /data/src/10.2/sql/sql_connect.cc:1336
#29 0x00005601dc9f0dc4 in handle_one_connection (arg=arg@entry=0x5601e017a3d8) at /data/src/10.2/sql/sql_connect.cc:1241
#30 0x00005601dcf2be44 in pfs_spawn_thread (arg=0x5601e017ee48) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#31 0x00007f0af9b474a4 in start_thread (arg=0x7f0af1ef1700) at pthread_create.c:456
#32 0x00007f0af7c7bd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

The debug version produces a stack trace identical to one of the previously reported:

10.2 debug 959fc0c0
#3 <signal handler called>
#4 0x0000564a2929f5b3 in create_view_field (thd=0x7fd4dc000af0, view=0x7fd4dc07d410, field_ref=0x7fd4dc03bdb8, name=0x7fd4dc03bdd0 "b") at /data/src/10.2/sql/table.cc:5888
#5 0x0000564a2929f4af in Field_iterator_view::create_item (this=0x7fd4edff9e10, thd=0x7fd4dc000af0) at /data/src/10.2/sql/table.cc:5863
#6 0x0000564a29124e34 in find_field_in_view (thd=0x7fd4dc000af0, table_list=0x7fd4dc07d410, name=0x7fd4dc07da38 "b", length=1, item_name=0x7fd4dc07da38 "b", ref=0x7fd4dc07dbe8, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5320
#7 0x0000564a29125e01 in find_field_in_table_ref (thd=0x7fd4dc000af0, table_list=0x7fd4dc07d410, name=0x7fd4dc07da38 "b", length=1, item_name=0x7fd4dc07da38 "b", db_name=0x0, table_name=0x0, ref=0x7fd4dc07dbe8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7fd4dc07db0c, register_tree_change=true, actual_table=0x7fd4edffa008) at /data/src/10.2/sql/sql_base.cc:5680
#8 0x0000564a291269ed in find_field_in_tables (thd=0x7fd4dc000af0, item=0x7fd4dc07da48, first_table=0x7fd4dc07d410, last_table=0x0, ref=0x7fd4dc07dbe8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5987
#9 0x0000564a29432bb2 in Item_field::fix_fields (this=0x7fd4dc07da48, thd=0x7fd4dc000af0, reference=0x7fd4dc07dbe8) at /data/src/10.2/sql/item.cc:5474
#10 0x0000564a291297a3 in setup_fields (thd=0x7fd4dc000af0, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_WRITE, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.2/sql/sql_base.cc:7186
#11 0x0000564a29287164 in setup_fields_with_no_wrap (thd=0x7fd4dc000af0, ref_pointer_array=..., item=..., mark_used_columns=MARK_COLUMNS_WRITE, sum_func_list=0x0, allow_sum_func=false) at /data/src/10.2/sql/sql_base.h:381
#12 0x0000564a29282d17 in Multiupdate_prelocking_strategy::handle_end (this=0x7fd4edffa630, thd=0x7fd4dc000af0) at /data/src/10.2/sql/sql_update.cc:1401
#13 0x0000564a292833aa in mysql_multi_update_prepare (thd=0x7fd4dc000af0) at /data/src/10.2/sql/sql_update.cc:1549
#14 0x0000564a29191f04 in mysql_execute_command (thd=0x7fd4dc000af0) at /data/src/10.2/sql/sql_parse.cc:4043
#15 0x0000564a290e51aa in sp_instr_stmt::exec_core (this=0x7fd4dc07dc00, thd=0x7fd4dc000af0, nextp=0x7fd4edffb1e4) at /data/src/10.2/sql/sp_head.cc:3239
#16 0x0000564a290e4823 in sp_lex_keeper::reset_lex_and_exec_core (this=0x7fd4dc07dc40, thd=0x7fd4dc000af0, nextp=0x7fd4edffb1e4, open_tables=false, instr=0x7fd4dc07dc00) at /data/src/10.2/sql/sp_head.cc:3002
#17 0x0000564a290e4e5b in sp_instr_stmt::execute (this=0x7fd4dc07dc00, thd=0x7fd4dc000af0, nextp=0x7fd4edffb1e4) at /data/src/10.2/sql/sp_head.cc:3155
#18 0x0000564a290e0022 in sp_head::execute (this=0x7fd4dc07c838, thd=0x7fd4dc000af0, merge_da_on_success=true) at /data/src/10.2/sql/sp_head.cc:1320
#19 0x0000564a290e20a2 in sp_head::execute_procedure (this=0x7fd4dc07c838, thd=0x7fd4dc000af0, args=0x7fd4dc005428) at /data/src/10.2/sql/sp_head.cc:2109
#20 0x0000564a2918ecda in do_execute_sp (thd=0x7fd4dc000af0, sp=0x7fd4dc07c838) at /data/src/10.2/sql/sql_parse.cc:2953
#21 0x0000564a291973fc in mysql_execute_command (thd=0x7fd4dc000af0) at /data/src/10.2/sql/sql_parse.cc:5571
#22 0x0000564a2919dbea in mysql_parse (thd=0x7fd4dc000af0, rawbuf=0x7fd4dc012448 "CALL pr", length=7, parser_state=0x7fd4edffc200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7739
#23 0x0000564a2918bf43 in dispatch_command (command=COM_QUERY, thd=0x7fd4dc000af0, packet=0x7fd4dc08c2c1 "CALL pr", packet_length=7, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1831
#24 0x0000564a2918a897 in do_command (thd=0x7fd4dc000af0) at /data/src/10.2/sql/sql_parse.cc:1384
#25 0x0000564a292df8d3 in do_handle_one_connection (connect=0x564a2bd58d30) at /data/src/10.2/sql/sql_connect.cc:1336
#26 0x0000564a292df63e in handle_one_connection (arg=0x564a2bd58d30) at /data/src/10.2/sql/sql_connect.cc:1241
#27 0x0000564a29afb6de in pfs_spawn_thread (arg=0x564a2bcfcc40) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#28 0x00007fd4f5c514a4 in start_thread (arg=0x7fd4edffd700) at pthread_create.c:456
#29 0x00007fd4f3d85d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Comment by Elena Stepanova [ 2020-02-29 ]

A similar but fully simplified/cleaned test case which causes yet another variation of the crash:

CREATE TABLE t1 (f1 INT NOT NULL AUTO_INCREMENT, f2 INT , f3 INT , f4 INT, PRIMARY KEY (f1), KEY(f2));

CREATE TABLE t2 (f1 INT, f2 INT, f3 INT, f4 INT, KEY (f2), KEY(f4));

CREATE PROCEDURE sp() REPLACE INTO v2 ( f1, f2, f3 ) VALUES ( 2, 'product', 7 ), ( NULL, 'powder', 'g' );

CREATE ALGORITHM=MERGE VIEW v1 AS SELECT f1, f2, f3, f4 FROM ( SELECT f1, min(f2) as f2, max(f3) as f3, count(f4) as f4 FROM t2 GROUP BY f1 ) AS sq;

--connect (con17_0,localhost,root,,test)

CREATE ALGORITHM=MERGE VIEW v2 AS SELECT a1.f1 AS f1, a2.f2 AS f2, a1.f3 AS f3 FROM t1 AS a1 JOIN v1 AS a2 ON a1.f4 <= a2.f1;

--connection default

LOCK TABLE t2 WRITE;

--error 1100

CALL sp;

UNLOCK TABLES;

--error 1393

CALL sp;

CALL sp;

10.2 debug 8382f106
#3 <signal handler called>
#4 0x000055e5c2e247ef in create_view_field (thd=0x7f9774000af0, view=0x7f977407d500, field_ref=0x7f9774041920, name=0x7f9774041948 "f2") at /data/src/10.2/sql/table.cc:5888
#5 0x000055e5c2e246eb in Field_iterator_view::create_item (this=0x7f978563baf0, thd=0x7f9774000af0) at /data/src/10.2/sql/table.cc:5863
#6 0x000055e5c2caa070 in find_field_in_view (thd=0x7f9774000af0, table_list=0x7f977407d500, name=0x7f977407dc38 "f2", length=2, item_name=0x7f977407dc38 "f2", ref=0x7f977407dd50, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5320
#7 0x000055e5c2cab03d in find_field_in_table_ref (thd=0x7f9774000af0, table_list=0x7f977407d500, name=0x7f977407dc38 "f2", length=2, item_name=0x7f977407dc38 "f2", db_name=0x0, table_name=0x0, ref=0x7f977407dd50, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7f977407dd0c, register_tree_change=true, actual_table=0x7f978563bce8) at /data/src/10.2/sql/sql_base.cc:5680
#8 0x000055e5c2cab8fb in find_field_in_tables (thd=0x7f9774000af0, item=0x7f977407dc48, first_table=0x7f977407d500, last_table=0x0, ref=0x7f977407dd50, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5916
#9 0x000055e5c2fb7e12 in Item_field::fix_fields (this=0x7f977407dc48, thd=0x7f9774000af0, reference=0x7f977407dd50) at /data/src/10.2/sql/item.cc:5474
#10 0x000055e5c2cae9df in setup_fields (thd=0x7f9774000af0, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_WRITE, sum_func_list=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.2/sql/sql_base.cc:7186
#11 0x000055e5c2cee8a7 in check_insert_fields (thd=0x7f9774000af0, table_list=0x7f977407d500, fields=..., values=..., check_unique=false, fields_and_values_from_different_maps=false, map=0x7f978563c330) at /data/src/10.2/sql/sql_insert.cc:271
#12 0x000055e5c2cf1ac9 in mysql_prepare_insert (thd=0x7f9774000af0, table_list=0x7f977407d500, table=0x0, fields=..., values=0x7f977407de78, update_fields=..., update_values=..., duplic=DUP_REPLACE, where=0x7f978563c480, select_insert=false) at /data/src/10.2/sql/sql_insert.cc:1548
#13 0x000055e5c2cef893 in mysql_insert (thd=0x7f9774000af0, table_list=0x7f977407d500, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_REPLACE, ignore=false) at /data/src/10.2/sql/sql_insert.cc:771
#14 0x000055e5c2d17681 in mysql_execute_command (thd=0x7f9774000af0) at /data/src/10.2/sql/sql_parse.cc:4166
#15 0x000055e5c2c6a3e6 in sp_instr_stmt::exec_core (this=0x7f977407e2c8, thd=0x7f9774000af0, nextp=0x7f978563d1e4) at /data/src/10.2/sql/sp_head.cc:3239
#16 0x000055e5c2c69a5f in sp_lex_keeper::reset_lex_and_exec_core (this=0x7f977407e308, thd=0x7f9774000af0, nextp=0x7f978563d1e4, open_tables=false, instr=0x7f977407e2c8) at /data/src/10.2/sql/sp_head.cc:3002
#17 0x000055e5c2c6a097 in sp_instr_stmt::execute (this=0x7f977407e2c8, thd=0x7f9774000af0, nextp=0x7f978563d1e4) at /data/src/10.2/sql/sp_head.cc:3155
#18 0x000055e5c2c6525e in sp_head::execute (this=0x7f977407c7a8, thd=0x7f9774000af0, merge_da_on_success=true) at /data/src/10.2/sql/sp_head.cc:1320
#19 0x000055e5c2c672de in sp_head::execute_procedure (this=0x7f977407c7a8, thd=0x7f9774000af0, args=0x7f9774005428) at /data/src/10.2/sql/sp_head.cc:2109
#20 0x000055e5c2d13f16 in do_execute_sp (thd=0x7f9774000af0, sp=0x7f977407c7a8) at /data/src/10.2/sql/sql_parse.cc:2953
#21 0x000055e5c2d1c638 in mysql_execute_command (thd=0x7f9774000af0) at /data/src/10.2/sql/sql_parse.cc:5571
#22 0x000055e5c2d22e26 in mysql_parse (thd=0x7f9774000af0, rawbuf=0x7f9774012448 "CALL sp", length=7, parser_state=0x7f978563e200, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7739
#23 0x000055e5c2d1117f in dispatch_command (command=COM_QUERY, thd=0x7f9774000af0, packet=0x7f977408c381 "CALL sp", packet_length=7, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1831
#24 0x000055e5c2d0fad3 in do_command (thd=0x7f9774000af0) at /data/src/10.2/sql/sql_parse.cc:1384
#25 0x000055e5c2e64b0f in do_handle_one_connection (connect=0x55e5c6777c00) at /data/src/10.2/sql/sql_connect.cc:1336
#26 0x000055e5c2e6487a in handle_one_connection (arg=0x55e5c6777c00) at /data/src/10.2/sql/sql_connect.cc:1241
#27 0x000055e5c3680a04 in pfs_spawn_thread (arg=0x55e5c671bb10) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#28 0x00007f978d2934a4 in start_thread (arg=0x7f978563f700) at pthread_create.c:456
#29 0x00007f978b3c7d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

10.2 non-debug 8382f106
pure virtual method called
terminate called without an active exception
200229 2:06:52 [ERROR] mysqld got signal 6 ;

#5 0x00007f6bb3a8842a in __GI_abort () at abort.c:89
#6 0x00007f6bb439f0ad in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007f6bb439d066 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007f6bb439d0b1 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007f6bb439db8f in __cxa_pure_virtual () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x00005600fc4b79c6 in find_field_in_table_ref (thd=thd@entry=0x7f6b9c0009a8, table_list=table_list@entry=0x7f6b9c08d6d8, name=name@entry=0x7f6b9c08de10 "f2", length=<optimized out>, item_name=<optimized out>, db_name=db_name@entry=0x0, table_name=0x0, ref=0x7f6b9c08df28, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x7f6b9c08dee4, register_tree_change=true, actual_table=0x7f6baddad908) at /data/src/10.2/sql/sql_base.cc:5749
#11 0x00005600fc4b7cfd in find_field_in_tables (thd=thd@entry=0x7f6b9c0009a8, item=item@entry=0x7f6b9c08de20, first_table=0x7f6b9c08d6d8, last_table=0x0, ref=ref@entry=0x7f6b9c08df28, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /data/src/10.2/sql/sql_base.cc:5916
#12 0x00005600fc6a04eb in Item_field::fix_fields (this=0x7f6b9c08de20, thd=0x7f6b9c0009a8, reference=0x7f6b9c08df28) at /data/src/10.2/sql/item.cc:5474
#13 0x00005600fc4b8901 in setup_fields (thd=thd@entry=0x7f6b9c0009a8, ref_pointer_array=..., fields=..., mark_used_columns=mark_used_columns@entry=MARK_COLUMNS_WRITE, sum_func_list=sum_func_list@entry=0x0, pre_fix=0x0, allow_sum_func=false) at /data/src/10.2/sql/sql_base.cc:7186
#14 0x00005600fc4d9c3a in check_insert_fields (thd=thd@entry=0x7f6b9c0009a8, table_list=0x7f6b9c08d6d8, fields=..., values=..., check_unique=<optimized out>, fields_and_values_from_different_maps=fields_and_values_from_different_maps@entry=false, map=0x7f6baddade10) at /data/src/10.2/sql/sql_insert.cc:271
#15 0x00005600fc4daf20 in mysql_prepare_insert (thd=thd@entry=0x7f6b9c0009a8, table_list=table_list@entry=0x7f6b9c08d6d8, table=table@entry=0x0, fields=..., values=values@entry=0x7f6b9c08e050, update_fields=..., update_values=..., duplic=DUP_REPLACE, where=0x7f6baddadf28, select_insert=false) at /data/src/10.2/sql/sql_insert.cc:1548
#16 0x00005600fc4e4000 in mysql_insert (thd=thd@entry=0x7f6b9c0009a8, table_list=0x7f6b9c08d6d8, fields=..., values_list=..., update_fields=..., update_values=..., duplic=DUP_REPLACE, ignore=false) at /data/src/10.2/sql/sql_insert.cc:771
#17 0x00005600fc4f92bb in mysql_execute_command (thd=0x7f6b9c0009a8) at /data/src/10.2/sql/sql_parse.cc:4166
#18 0x00005600fc48b6e4 in sp_instr_stmt::exec_core (this=0x7f6b9c08e4a0, thd=<optimized out>, nextp=0x7f6baddaf8b4) at /data/src/10.2/sql/sp_head.cc:3239
#19 0x00005600fc491577 in sp_lex_keeper::reset_lex_and_exec_core (this=this@entry=0x7f6b9c08e4e0, thd=thd@entry=0x7f6b9c0009a8, nextp=nextp@entry=0x7f6baddaf8b4, open_tables=open_tables@entry=false, instr=instr@entry=0x7f6b9c08e4a0) at /data/src/10.2/sql/sp_head.cc:3002
#20 0x00005600fc491b8c in sp_instr_stmt::execute (this=0x7f6b9c08e4a0, thd=0x7f6b9c0009a8, nextp=0x7f6baddaf8b4) at /data/src/10.2/sql/sp_head.cc:3155
#21 0x00005600fc48e3ab in sp_head::execute (this=this@entry=0x7f6b9c08c980, thd=thd@entry=0x7f6b9c0009a8, merge_da_on_success=merge_da_on_success@entry=true) at /data/src/10.2/sql/sp_head.cc:1320
#22 0x00005600fc48f9b8 in sp_head::execute_procedure (this=0x7f6b9c08c980, thd=thd@entry=0x7f6b9c0009a8, args=0x7f6b9c005120) at /data/src/10.2/sql/sp_head.cc:2109
#23 0x00005600fc4ef660 in do_execute_sp (thd=0x7f6b9c0009a8, sp=<optimized out>) at /data/src/10.2/sql/sql_parse.cc:2953
#24 0x00005600fc4f7f12 in mysql_execute_command (thd=thd@entry=0x7f6b9c0009a8) at /data/src/10.2/sql/sql_parse.cc:5581
#25 0x00005600fc4fe94d in mysql_parse (thd=0x7f6b9c0009a8, rawbuf=<optimized out>, length=7, parser_state=0x7f6baddb1240, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/src/10.2/sql/sql_parse.cc:7739
#26 0x00005600fc5017bb in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f6b9c0009a8, packet=packet@entry=0x7f6b9c006cf9 "CALL sp", packet_length=packet_length@entry=7, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /data/src/10.2/sql/sql_parse.cc:1831
#27 0x00005600fc5020b7 in do_command (thd=0x7f6b9c0009a8) at /data/src/10.2/sql/sql_parse.cc:1384
#28 0x00005600fc5c1f04 in do_handle_one_connection (connect=connect@entry=0x5600ff79d448) at /data/src/10.2/sql/sql_connect.cc:1336
#29 0x00005600fc5c1fb4 in handle_one_connection (arg=arg@entry=0x5600ff79d448) at /data/src/10.2/sql/sql_connect.cc:1241
#30 0x00005600fcafd194 in pfs_spawn_thread (arg=0x5600ff771478) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#31 0x00007f6bb5a084a4 in start_thread (arg=0x7f6baddb2700) at pthread_create.c:456
#32 0x00007f6bb3b3cd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Comment by Elena Stepanova [ 2021-01-02 ]

Here is another variation of the failure worth recording. I'm getting it with very similar test cases on CentOS 7, while the same test cases on other machines produces failures earlier described in this issue. Maybe the difference has something to do with CentOS 7 still having gcc 4.8.5.

10.2 f99abb45
mysqld: /home/elenst/src/10.2/sql/sql_parse.cc:7177: bool check_stack_overrun(THD, long int, uchar): Assertion `thd == _current_thd()' failed.
210102 23:36:04 [ERROR] mysqld got signal 6 ;

#7 0x00002b35a2491202 in __GI___assert_fail (assertion=0x5566ac02dc24 "thd == _current_thd()", file=0x5566ac02c900 "/home/elenst/src/10.2/sql/sql_parse.cc", line=7177, function=0x5566ac02ef00 <check_stack_overrun(THD, long, unsigned char)::__PRETTY_FUNCTION__> "bool check_stack_overrun(THD, long int, uchar)") at assert.c:101
#8 0x00005566ab5640b7 in check_stack_overrun (thd=0x5566ac01afe0, margin=32000, buf=0x2b35a7f643c0 "@D\366\247\065+") at /home/elenst/src/10.2/sql/sql_parse.cc:7177
#9 0x00005566ab854b02 in Item_func::fix_fields (this=0x2b35ec02df80, thd=0x5566ac01afe0, ref=0x2b35ec02df80) at /home/elenst/src/10.2/sql/item_func.cc:190
#10 0x00005566ab4f6b75 in Item_ref::real_item (this=0x2b35ec02e798) at /home/elenst/src/10.2/sql/item.h:4528
#11 0x00005566ab4ec61e in find_field_in_view (thd=0x2b35ec000b90, table_list=0x2b35ec030c88, name=0x2b35ec028588 "field2", length=6, item_name=0x2b35ec0286d0 "field2", ref=0x2b35ec0286c8, register_tree_change=true) at /home/elenst/src/10.2/sql/sql_base.cc:5409
#12 0x00005566ab4ed4b3 in find_field_in_table_ref (thd=0x2b35ec000b90, table_list=0x2b35ec030c88, name=0x2b35ec028588 "field2", length=6, item_name=0x2b35ec0286d0 "field2", db_name=0x0, table_name=0x0, ref=0x2b35ec0286c8, check_privileges=true, allow_rowid=true, cached_field_index_ptr=0x2b35ec028664, register_tree_change=true, actual_table=0x2b35a7f647d8) at /home/elenst/src/10.2/sql/sql_base.cc:5746
#13 0x00005566ab4eddaa in find_field_in_tables (thd=0x2b35ec000b90, item=0x2b35ec0285a0, first_table=0x2b35ec030c88, last_table=0x0, ref=0x2b35ec0286c8, report_error=IGNORE_EXCEPT_NON_UNIQUE, check_privileges=true, register_tree_change=true) at /home/elenst/src/10.2/sql/sql_base.cc:5983
#14 0x00005566ab7ff5e2 in Item_field::fix_fields (this=0x2b35ec0285a0, thd=0x2b35ec000b90, reference=0x2b35ec0286c8) at /home/elenst/src/10.2/sql/item.cc:5462
#15 0x00005566ab4f0e7b in setup_fields (thd=0x2b35ec000b90, ref_pointer_array=..., fields=..., mark_used_columns=MARK_COLUMNS_READ, sum_func_list=0x2b35ec040e48, pre_fix=0x2b35ec02f568, allow_sum_func=true) at /home/elenst/src/10.2/sql/sql_base.cc:7253
#16 0x00005566ab59819b in JOIN::prepare (this=0x2b35ec040b28, tables_init=0x2b35ec030c88, wild_num=0, conds_init=0x2b35ec032358, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x2b35ec02f428, unit_arg=0x2b35ec02ece8) at /home/elenst/src/10.2/sql/sql_select.cc:814
#17 0x00005566ab64542b in st_select_lex_unit::prepare (this=0x2b35ec02ece8, thd_arg=0x2b35ec000b90, sel_result=0x2b35ec02e6a8, additional_options=0) at /home/elenst/src/10.2/sql/sql_union.cc:618
#18 0x00005566ab528f4e in mysql_derived_prepare (thd=0x2b35ec000b90, lex=0x2b35ec026a88, derived=0x2b35ec0252e8) at /home/elenst/src/10.2/sql/sql_derived.cc:741
#19 0x00005566ab527db1 in mysql_handle_single_derived (lex=0x2b35ec026a88, derived=0x2b35ec0252e8, phases=2) at /home/elenst/src/10.2/sql/sql_derived.cc:198
#20 0x00005566ab66f23a in TABLE_LIST::handle_derived (this=0x2b35ec0252e8, lex=0x2b35ec026a88, phases=2) at /home/elenst/src/10.2/sql/table.cc:8118
#21 0x00005566ab53e8df in LEX::handle_list_of_derived (this=0x2b35ec026a88, table_list=0x2b35ec0252e8, phases=2) at /home/elenst/src/10.2/sql/sql_lex.h:3202
#22 0x00005566ab96b09f in mysql_delete (thd=0x2b35ec000b90, table_list=0x2b35ec0252e8, conds=0x2b35ec025ab8, order_list=0x2b35ec0274e8, limit=18446744073709551615, options=0, result=0x0) at /home/elenst/src/10.2/sql/sql_delete.cc:257
#23 0x00005566ab55b3b5 in mysql_execute_command (thd=0x2b35ec000b90) at /home/elenst/src/10.2/sql/sql_parse.cc:4399
#24 0x00005566ab4aba22 in sp_instr_stmt::exec_core (this=0x2b35ec0261f8, thd=0x2b35ec000b90, nextp=0x2b35a7f6658c) at /home/elenst/src/10.2/sql/sp_head.cc:3332
#25 0x00005566ab4ab03f in sp_lex_keeper::reset_lex_and_exec_core (this=0x2b35ec026238, thd=0x2b35ec000b90, nextp=0x2b35a7f6658c, open_tables=false, instr=0x2b35ec0261f8) at /home/elenst/src/10.2/sql/sp_head.cc:3095
#26 0x00005566ab4ab66f in sp_instr_stmt::execute (this=0x2b35ec0261f8, thd=0x2b35ec000b90, nextp=0x2b35a7f6658c) at /home/elenst/src/10.2/sql/sp_head.cc:3248
#27 0x00005566ab4a6705 in sp_head::execute (this=0x2b35ec024568, thd=0x2b35ec000b90, merge_da_on_success=true) at /home/elenst/src/10.2/sql/sp_head.cc:1326
#28 0x00005566ab4a88dc in sp_head::execute_procedure (this=0x2b35ec024568, thd=0x2b35ec000b90, args=0x2b35ec0054d0) at /home/elenst/src/10.2/sql/sp_head.cc:2202
#29 0x00005566ab556f26 in do_execute_sp (thd=0x2b35ec000b90, sp=0x2b35ec024568) at /home/elenst/src/10.2/sql/sql_parse.cc:2980
#30 0x00005566ab55f87a in mysql_execute_command (thd=0x2b35ec000b90) at /home/elenst/src/10.2/sql/sql_parse.cc:5598
#31 0x00005566ab565be9 in mysql_parse (thd=0x2b35ec000b90, rawbuf=0x2b35ec011138 "CALL sp_grammar2", length=16, parser_state=0x2b35a7f67610, is_com_multi=false, is_next_command=false) at /home/elenst/src/10.2/sql/sql_parse.cc:7762
#32 0x00005566ab553f9c in dispatch_command (command=COM_QUERY, thd=0x2b35ec000b90, packet=0x2b35ec008951 "CALL sp_grammar2", packet_length=16, is_com_multi=false, is_next_command=false) at /home/elenst/src/10.2/sql/sql_parse.cc:1828
#33 0x00005566ab552942 in do_command (thd=0x2b35ec000b90) at /home/elenst/src/10.2/sql/sql_parse.cc:1382
#34 0x00005566ab6abb95 in do_handle_one_connection (connect=0x5566ae7d70e0) at /home/elenst/src/10.2/sql/sql_connect.cc:1336
#35 0x00005566ab6ab8e0 in handle_one_connection (arg=0x5566ae7d70e0) at /home/elenst/src/10.2/sql/sql_connect.cc:1241
#36 0x00005566ab9f3a92 in pfs_spawn_thread (arg=0x5566ae7e2390) at /home/elenst/src/10.2/storage/perfschema/pfs.cc:1869
#37 0x00002b35a0fb5e65 in start_thread (arg=0x2b35a7f68700) at pthread_create.c:307
#38 0x00002b35a256088d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Comment by Elena Stepanova [ 2021-05-10 ]

Related to this, or maybe some other multi-update-related reports.

10.2 d0785f77
#3 <signal handler called>
#4 0x0000563c104827d2 in Item_field::print (this=0x7fa3b004d718, str=0x7fa3c9ab1300, query_type=QT_EXPLAIN) at /data/src/10.2/sql/item.cc:7351
#5 0x0000563c1046f0a9 in Item::print_parenthesised (this=0x7fa3b004d718, str=0x7fa3c9ab1300, query_type=QT_EXPLAIN, parent_prec=IN_PRECEDENCE) at /data/src/10.2/sql/item.cc:607
#6 0x0000563c1049f44c in Item_func_between::print (this=0x7fa3b004dab0, str=0x7fa3c9ab1300, query_type=QT_EXPLAIN) at /data/src/10.2/sql/item_cmpfunc.cc:2321
#7 0x0000563c1046f0a9 in Item::print_parenthesised (this=0x7fa3b004dab0, str=0x7fa3c9ab1300, query_type=QT_EXPLAIN, parent_prec=AND_PRECEDENCE) at /data/src/10.2/sql/item.cc:607
#8 0x0000563c104a76a9 in Item_cond::print (this=0x7fa3b004e3c8, str=0x7fa3c9ab1300, query_type=QT_EXPLAIN) at /data/src/10.2/sql/item_cmpfunc.cc:4956
#9 0x0000563c1048da39 in dbug_print_item (item=0x7fa3b004e3c8) at /data/src/10.2/sql/item.cc:10850
#10 0x0000563c102150b7 in JOIN::prepare (this=0x7fa3b0040cb0, tables_init=0x7fa3b004d030, wild_num=0, conds_init=0x7fa3b004e3c8, og_num=0, order_init=0x0, skip_order_by=false, group_init=0x0, having_init=0x0, proc_param_init=0x0, select_lex_arg=0x7fa3b00152e0, unit_arg=0x7fa3b0014ba0) at /data/src/10.2/sql/sql_select.cc:723
#11 0x0000563c102c4298 in st_select_lex_unit::prepare (this=0x7fa3b0014ba0, thd_arg=0x7fa3b0000d90, sel_result=0x7fa3b00507e8, additional_options=0) at /data/src/10.2/sql/sql_union.cc:596
#12 0x0000563c101a519a in mysql_derived_prepare (thd=0x7fa3b0000d90, lex=0x7fa3b00048c8, derived=0x7fa3b0011560) at /data/src/10.2/sql/sql_derived.cc:764
#13 0x0000563c101a3d54 in mysql_handle_derived (lex=0x7fa3b00048c8, phases=2) at /data/src/10.2/sql/sql_derived.cc:119
#14 0x0000563c102cc400 in Multiupdate_prelocking_strategy::handle_end (this=0x7fa3c9ab1990, thd=0x7fa3b0000d90) at /data/src/10.2/sql/sql_update.cc:1384
#15 0x0000563c10165aa5 in open_tables (thd=0x7fa3b0000d90, options=..., start=0x7fa3c9ab1960, counter=0x7fa3c9ab195c, flags=0, prelocking_strategy=0x7fa3c9ab1990) at /data/src/10.2/sql/sql_base.cc:4198
#16 0x0000563c102c86df in open_tables (thd=0x7fa3b0000d90, tables=0x7fa3c9ab1960, counter=0x7fa3c9ab195c, flags=0, prelocking_strategy=0x7fa3c9ab1990) at /data/src/10.2/sql/sql_base.h:248
#17 0x0000563c102ccb38 in mysql_multi_update_prepare (thd=0x7fa3b0000d90) at /data/src/10.2/sql/sql_update.cc:1541
#18 0x0000563c101d6b0d in mysql_execute_command (thd=0x7fa3b0000d90) at /data/src/10.2/sql/sql_parse.cc:4097
#19 0x0000563c101e255c in mysql_parse (thd=0x7fa3b0000d90, rawbuf=0x7fa3b0011338 "UPDATE v1_trans_unsafe_for_sbr_103520 AS A JOIN test.table1_innodb_int_autoinc B SET B.col_varchar_257_latin1 = test1.f1_0_103520 () WHERE col_tinyint BETWEEN -123 AND 61", length=170, parser_state=0x7fa3c9ab2570, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7796
#20 0x0000563c101d0786 in dispatch_command (command=COM_QUERY, thd=0x7fa3b0000d90, packet=0x7fa3b0008b51 "UPDATE v1_trans_unsafe_for_sbr_103520 AS A JOIN test.table1_innodb_int_autoinc B SET B.col_varchar_257_latin1 = test1.f1_0_103520 () WHERE col_tinyint BETWEEN -123 AND 61", packet_length=170, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#21 0x0000563c101cf281 in do_command (thd=0x7fa3b0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#22 0x0000563c1032a8be in do_handle_one_connection (connect=0x563c13c98ad0) at /data/src/10.2/sql/sql_connect.cc:1336
#23 0x0000563c1032a623 in handle_one_connection (arg=0x563c13c98ad0) at /data/src/10.2/sql/sql_connect.cc:1241
#24 0x0000563c10b5620e in pfs_spawn_thread (arg=0x563c13ca0e00) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#25 0x00007fa3d004b609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x00007fa3cfc27293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reproducible on 10.2-10.3

Comment by Alice Sherepa [ 2022-11-10 ]

the test case from the description and 1st. and 3.rd comments are fixed by f6d8640d678799244cd9aede6abfd4493e commit (~~MDEV-18929~~ 2nd execution of SP does not detect ER_VERS_NOT_VERSIONED)

the test case from the 2.nd commit is still reproducible:

CREATE TABLE t (a INT, b INT);

CREATE ALGORITHM=MERGE VIEW v AS SELECT * FROM ( SELECT t2.* FROM t AS t1, t AS t2 ) AS sq;

CREATE PROCEDURE pr() UPDATE v SET b = 0;

LOCK TABLES t WRITE;

--error ER_TABLE_NOT_LOCKED

CALL pr;

UNLOCK TABLES;

--error ER_NON_UPDATABLE_TABLE

CALL pr;

CALL pr;

# Cleanup

DROP PROCEDURE pr;

DROP VIEW v;

DROP TABLE t;

10.11 d186cb180e424fb4e16695914
Version: '10.11.1-MariaDB-debug-log' socket: '/git/10.11/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==67044==ERROR: AddressSanitizer: use-after-poison on address 0x62500019bd50 at pc 0x5578c4e4280b bp 0x7f2f347d3250 sp 0x7f2f347d3248
READ of size 8 at 0x62500019bd50 thread T5
#0 0x5578c4e4280a in multi_update::prepare(List<Item>&, st_select_lex_unit*) /git/10.11/sql/sql_update.cc:2173
#1 0x5578c4bc524a in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /git/10.11/sql/sql_select.cc:1746
#2 0x5578c4be815d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /git/10.11/sql/sql_select.cc:5056
#3 0x5578c4e404c3 in mysql_multi_update(THD, TABLE_LIST, List<Item>, List<Item>, Item, unsigned long long, enum_duplicates, bool, st_select_lex_unit, st_select_lex, multi_update*) /git/10.11/sql/sql_update.cc:1980
#4 0x5578c4ad411b in mysql_execute_command(THD*, bool) /git/10.11/sql/sql_parse.cc:4489
#5 0x5578c4872706 in sp_instr_stmt::exec_core(THD, unsigned int) /git/10.11/sql/sp_head.cc:3857
#6 0x5578c4870d1f in sp_lex_keeper::reset_lex_and_exec_core(THD, unsigned int, bool, sp_instr*) /git/10.11/sql/sp_head.cc:3582
#7 0x5578c4871eba in sp_instr_stmt::execute(THD, unsigned int) /git/10.11/sql/sp_head.cc:3763
#8 0x5578c4862b72 in sp_head::execute(THD*, bool) /git/10.11/sql/sp_head.cc:1459
#9 0x5578c4868b7e in sp_head::execute_procedure(THD, List<Item>) /git/10.11/sql/sp_head.cc:2446
#10 0x5578c4aca03c in do_execute_sp /git/10.11/sql/sql_parse.cc:3026
#11 0x5578c4acbb48 in Sql_cmd_call::execute(THD*) /git/10.11/sql/sql_parse.cc:3271
#12 0x5578c4adfc8a in mysql_execute_command(THD*, bool) /git/10.11/sql/sql_parse.cc:5999
#13 0x5578c4aeca07 in mysql_parse(THD, char, unsigned int, Parser_state*) /git/10.11/sql/sql_parse.cc:7998
#14 0x5578c4ac3493 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /git/10.11/sql/sql_parse.cc:1894
#15 0x5578c4ac01b0 in do_command(THD*, bool) /git/10.11/sql/sql_parse.cc:1407
#16 0x5578c4f670b4 in do_handle_one_connection(CONNECT*, bool) /git/10.11/sql/sql_connect.cc:1416
#17 0x5578c4f66a0a in handle_one_connection /git/10.11/sql/sql_connect.cc:1318
#18 0x5578c5c0b02c in pfs_spawn_thread /git/10.11/storage/perfschema/pfs.cc:2201
#19 0x7f2f3d7b2fa2 in start_thread /build/glibc-6iIyft/glibc-2.28/nptl/pthread_create.c:486
#20 0x7f2f3d3bc06e in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf906e)

0x62500019bd50 is located 7248 bytes inside of 8324-byte region [0x62500019a100,0x62500019c184)
allocated by thread T5 here:
#0 0x7f2f3dcc6330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x5578c68302d1 in sf_malloc /git/10.11/mysys/safemalloc.c:126
#2 0x5578c67fecd1 in my_malloc /git/10.11/mysys/my_malloc.c:90
#3 0x5578c67da67e in root_alloc /git/10.11/mysys/my_alloc.c:66
#4 0x5578c67dbe3d in alloc_root /git/10.11/mysys/my_alloc.c:332
#5 0x5578c4afe06b in Query_arena::memdup_w_gap(void const*, unsigned long, unsigned long) /git/10.11/sql/sql_class.h:1211
#6 0x5578c4ac834c in alloc_query(THD, char const, unsigned long) /git/10.11/sql/sql_parse.cc:2727
#7 0x5578c4871d97 in sp_instr_stmt::execute(THD, unsigned int) /git/10.11/sql/sp_head.cc:3750
#8 0x5578c4862b72 in sp_head::execute(THD*, bool) /git/10.11/sql/sp_head.cc:1459
#9 0x5578c4868b7e in sp_head::execute_procedure(THD, List<Item>) /git/10.11/sql/sp_head.cc:2446
#10 0x5578c4aca03c in do_execute_sp /git/10.11/sql/sql_parse.cc:3026
#11 0x5578c4acbb48 in Sql_cmd_call::execute(THD*) /git/10.11/sql/sql_parse.cc:3271
#12 0x5578c4adfc8a in mysql_execute_command(THD*, bool) /git/10.11/sql/sql_parse.cc:5999
#13 0x5578c4aeca07 in mysql_parse(THD, char, unsigned int, Parser_state*) /git/10.11/sql/sql_parse.cc:7998
#14 0x5578c4ac3493 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /git/10.11/sql/sql_parse.cc:1894
#15 0x5578c4ac01b0 in do_command(THD*, bool) /git/10.11/sql/sql_parse.cc:1407
#16 0x5578c4f670b4 in do_handle_one_connection(CONNECT*, bool) /git/10.11/sql/sql_connect.cc:1416
#17 0x5578c4f66a0a in handle_one_connection /git/10.11/sql/sql_connect.cc:1318
#18 0x5578c5c0b02c in pfs_spawn_thread /git/10.11/storage/perfschema/pfs.cc:2201
#19 0x7f2f3d7b2fa2 in start_thread /build/glibc-6iIyft/glibc-2.28/nptl/pthread_create.c:486

Thread T5 created by T0 here:
#0 0x7f2f3dc2ddb0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x5578c5c06b4c in my_thread_create /git/10.11/storage/perfschema/my_thread.h:52
#2 0x5578c5c0b41b in pfs_spawn_thread_v1 /git/10.11/storage/perfschema/pfs.cc:2252
#3 0x5578c470f5a6 in inline_mysql_thread_create /git/10.11/include/mysql/psi/mysql_thread.h:1139
#4 0x5578c472707e in create_thread_to_handle_connection(CONNECT*) /git/10.11/sql/mysqld.cc:6102
#5 0x5578c47276e9 in create_new_thread(CONNECT*) /git/10.11/sql/mysqld.cc:6161
#6 0x5578c4727a5b in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.11/sql/mysqld.cc:6223
#7 0x5578c472847b in handle_connections_sockets() /git/10.11/sql/mysqld.cc:6347
#8 0x5578c47268e5 in mysqld_main(int, char**) /git/10.11/sql/mysqld.cc:5997
#9 0x5578c470e7f4 in main /git/10.11/sql/main.cc:34
#10 0x7f2f3d2e709a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /git/10.11/sql/sql_update.cc:2173 in multi_update::prepare(List<Item>&, st_select_lex_unit*)
Shadow bytes around the buggy address:
0x0c4a8002b750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8002b760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8002b770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8002b780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8002b790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a8002b7a0: 00 00 00 00 00 00 00 f7 f7 f7[f7]f7 f7 f7 f7 f7
0x0c4a8002b7b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8002b7c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8002b7d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8002b7e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8002b7f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==67044==ABORTING

Comment by Alice Sherepa [ 2023-07-28 ]

I close this report - test case, that is still crashing - the same as MDEV-17120, the other tests - results work as expected

Generated at Thu Feb 08 08:59:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-20410] Pure virtual method called in Item_ref::set_properties, SIGSEGV or ASAN heap-use-after-free in create_view_field Created: 2019-08-22 Updated: 2023-07-28 Resolved: 2023-07-28