[MDEV-23443] ASAN heap-use-after-free in my_ci_strnncollsp upon query with EXCEPT ALL Created: 2020-08-10  Updated: 2024-02-01

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None


 Description    

CREATE TABLE t1 (f TEXT CHARACTER SET utf8);
 
INSERT INTO t1 VALUES ('watermelon'),('apple') ,('pear'),('apple');
 
SELECT f FROM t1 EXCEPT ALL SELECT 'orange';

10.5 ASAN 9b2fe4bd

 
==23010==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200003aa55 at pc 0x5562a9716edd bp 0x7fc4b23402b0 sp 0x7fc4b23402a8
 
READ of size 1 at 0x61200003aa55 thread T5
 
    #0 0x5562a9716edc in my_scan_weight_utf8mb3_general_ci /data/src/10.5/strings/strcoll.ic:99
 
    #1 0x5562a971777d in my_strnncollsp_utf8mb3_general_ci /data/src/10.5/strings/strcoll.ic:256
 
    #2 0x5562a963ac73 in my_ci_strnncollsp /data/src/10.5/include/m_ctype.h:1061
 
    #3 0x5562a963acbc in ha_compare_text /data/src/10.5/mysys/my_compare.c:27
 
    #4 0x5562a891b164 in _ma_unique_comp /data/src/10.5/storage/maria/ma_unique.c:243
 
    #5 0x5562a8a777f1 in maria_update /data/src/10.5/storage/maria/ma_update.c:68
 
    #6 0x5562a893d802 in ha_maria::update_row(unsigned char const*, unsigned char const*) /data/src/10.5/storage/maria/ha_maria.cc:2362
 
    #7 0x5562a7d60fbf in handler::ha_update_tmp_row(unsigned char const*, unsigned char*) /data/src/10.5/sql/sql_class.h:7027
 
    #8 0x5562a7e789d2 in select_unit_ext::send_eof() /data/src/10.5/sql/sql_union.cc:862
 
    #9 0x5562a7caaa66 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4329
 
    #10 0x5562a7ca949b in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4231
 
    #11 0x5562a7e8520f in st_select_lex_unit::exec() /data/src/10.5/sql/sql_union.cc:2196
 
    #12 0x5562a7e71267 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:41
 
    #13 0x5562a7c82ac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #14 0x5562a7c031b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #15 0x5562a7bf3b25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #16 0x5562a7c0cf29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #17 0x5562a7be778a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #18 0x5562a7be460d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #19 0x5562a7fa1ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #20 0x5562a7fa1542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #21 0x5562a8b93d50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #22 0x7fc4bcba64a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #23 0x7fc4bacdad0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x61200003aa55 is located 149 bytes inside of 268-byte region [0x61200003a9c0,0x61200003aacc)
 
freed by thread T5 here:
 
    #0 0x7fc4bce7da10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x5562a9673352 in free_memory /data/src/10.5/mysys/safemalloc.c:279
 
    #2 0x5562a9672a00 in sf_realloc /data/src/10.5/mysys/safemalloc.c:187
 
    #3 0x5562a9643d25 in my_realloc /data/src/10.5/mysys/my_malloc.c:149
 
    #4 0x5562a89e2646 in _ma_alloc_buffer /data/src/10.5/storage/maria/ma_open.c:1247
 
    #5 0x5562a8915be4 in _ma_read_rnd_dynamic_record /data/src/10.5/storage/maria/ma_dynrec.c:1871
 
    #6 0x5562a8a24cca in maria_scan /data/src/10.5/storage/maria/ma_scan.c:54
 
    #7 0x5562a893ef6c in ha_maria::rnd_next(unsigned char*) /data/src/10.5/storage/maria/ha_maria.cc:2508
 
    #8 0x5562a83525da in handler::ha_rnd_next(unsigned char*) /data/src/10.5/sql/handler.cc:3060
 
    #9 0x5562a7e785f3 in select_unit_ext::send_eof() /data/src/10.5/sql/sql_union.cc:832
 
    #10 0x5562a7caaa66 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4329
 
    #11 0x5562a7ca949b in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4231
 
    #12 0x5562a7e8520f in st_select_lex_unit::exec() /data/src/10.5/sql/sql_union.cc:2196
 
    #13 0x5562a7e71267 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:41
 
    #14 0x5562a7c82ac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #15 0x5562a7c031b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #16 0x5562a7bf3b25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #17 0x5562a7c0cf29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #18 0x5562a7be778a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #19 0x5562a7be460d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #20 0x5562a7fa1ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #21 0x5562a7fa1542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #22 0x5562a8b93d50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #23 0x7fc4bcba64a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7fc4bce7dd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x5562a9672455 in sf_malloc /data/src/10.5/mysys/safemalloc.c:118
 
    #2 0x5562a96435d8 in my_malloc /data/src/10.5/mysys/my_malloc.c:88
 
    #3 0x5562a9643aed in my_realloc /data/src/10.5/mysys/my_malloc.c:139
 
    #4 0x5562a89e2646 in _ma_alloc_buffer /data/src/10.5/storage/maria/ma_open.c:1247
 
    #5 0x5562a89d98e2 in maria_clone_internal /data/src/10.5/storage/maria/ma_open.c:206
 
    #6 0x5562a89e1f1f in maria_open /data/src/10.5/storage/maria/ma_open.c:1167
 
    #7 0x5562a8932e3b in ha_maria::open(char const*, int, unsigned int) /data/src/10.5/storage/maria/ha_maria.cc:1153
 
    #8 0x5562a83508b4 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.5/sql/handler.cc:2977
 
    #9 0x5562a7d11bc5 in open_tmp_table(TABLE*) /data/src/10.5/sql/sql_select.cc:19398
 
    #10 0x5562a7d17679 in instantiate_tmp_table(TABLE*, st_key*, st_maria_columndef*, st_maria_columndef**, unsigned long long) /data/src/10.5/sql/sql_select.cc:20296
 
    #11 0x5562a7d0e83b in Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool) /data/src/10.5/sql/sql_select.cc:19099
 
    #12 0x5562a7d0fa2a in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.5/sql/sql_select.cc:19196
 
    #13 0x5562a7e73fe5 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.5/sql/sql_union.cc:329
 
    #14 0x5562a7e7ffec in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/src/10.5/sql/sql_union.cc:1722
 
    #15 0x5562a7e71244 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:39
 
    #16 0x5562a7c82ac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #17 0x5562a7c031b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #18 0x5562a7bf3b25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #19 0x5562a7c0cf29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #20 0x5562a7be778a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #21 0x5562a7be460d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #22 0x5562a7fa1ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #23 0x5562a7fa1542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #24 0x5562a8b93d50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #25 0x7fc4bcba64a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fc4bcdecf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x5562a8b8ee12 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
 
    #2 0x5562a8b9413f in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x5562a792c377 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x5562a793f189 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6020
 
    #5 0x5562a793f6fe in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6079
 
    #6 0x5562a793f8bb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6144
 
    #7 0x5562a794029e in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6271
 
    #8 0x5562a793eaef in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5666
 
    #9 0x5562a792ab6f in main /data/src/10.5/sql/main.cc:25
 
    #10 0x7fc4bac122e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5/strings/strcoll.ic:99 in my_scan_weight_utf8mb3_general_ci
 
Shadow bytes around the buggy address:
 
  0x0c247ffff4f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c247ffff500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c247ffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c247ffff520: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
 
  0x0c247ffff530: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c247ffff540: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
 
  0x0c247ffff550: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
 
  0x0c247ffff560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c247ffff570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c247ffff580: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c247ffff590: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==23010==ABORTING

A slightly different stack trace with latin1 instead of utf8:

CREATE TABLE t1 (f TEXT CHARACTER SET latin1);
 
INSERT INTO t1 VALUES ('watermelon'),('apple') ,('pear'),('apple');
 
SELECT f FROM t1 EXCEPT ALL SELECT 'orange';


==23139==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200003aa54 at pc 0x56024ccd8149 bp 0x7f6d105973a0 sp 0x7f6d10597398
 
READ of size 1 at 0x61200003aa54 thread T5
 
    #0 0x56024ccd8148 in my_strnncollsp_simple /data/src/10.5/strings/ctype-simple.c:182
 
    #1 0x56024cc42c73 in my_ci_strnncollsp /data/src/10.5/include/m_ctype.h:1061
 
    #2 0x56024cc42cbc in ha_compare_text /data/src/10.5/mysys/my_compare.c:27
 
    #3 0x56024bf23164 in _ma_unique_comp /data/src/10.5/storage/maria/ma_unique.c:243
 
    #4 0x56024c07f7f1 in maria_update /data/src/10.5/storage/maria/ma_update.c:68
 
    #5 0x56024bf45802 in ha_maria::update_row(unsigned char const*, unsigned char const*) /data/src/10.5/storage/maria/ha_maria.cc:2362
 
    #6 0x56024b368fbf in handler::ha_update_tmp_row(unsigned char const*, unsigned char*) /data/src/10.5/sql/sql_class.h:7027
 
    #7 0x56024b4809d2 in select_unit_ext::send_eof() /data/src/10.5/sql/sql_union.cc:862
 
    #8 0x56024b2b2a66 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4329
 
    #9 0x56024b2b149b in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4231
 
    #10 0x56024b48d20f in st_select_lex_unit::exec() /data/src/10.5/sql/sql_union.cc:2196
 
    #11 0x56024b479267 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:41
 
    #12 0x56024b28aac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #13 0x56024b20b1b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #14 0x56024b1fbb25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #15 0x56024b214f29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #16 0x56024b1ef78a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #17 0x56024b1ec60d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #18 0x56024b5a9ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #19 0x56024b5a9542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #20 0x56024c19bd50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #21 0x7f6d1adfb4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #22 0x7f6d18f2fd0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x61200003aa54 is located 148 bytes inside of 260-byte region [0x61200003a9c0,0x61200003aac4)
 
freed by thread T5 here:
 
    #0 0x7f6d1b0d2a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x56024cc7b352 in free_memory /data/src/10.5/mysys/safemalloc.c:279
 
    #2 0x56024cc7aa00 in sf_realloc /data/src/10.5/mysys/safemalloc.c:187
 
    #3 0x56024cc4bd25 in my_realloc /data/src/10.5/mysys/my_malloc.c:149
 
    #4 0x56024bfea646 in _ma_alloc_buffer /data/src/10.5/storage/maria/ma_open.c:1247
 
    #5 0x56024bf1dbe4 in _ma_read_rnd_dynamic_record /data/src/10.5/storage/maria/ma_dynrec.c:1871
 
    #6 0x56024c02ccca in maria_scan /data/src/10.5/storage/maria/ma_scan.c:54
 
    #7 0x56024bf46f6c in ha_maria::rnd_next(unsigned char*) /data/src/10.5/storage/maria/ha_maria.cc:2508
 
    #8 0x56024b95a5da in handler::ha_rnd_next(unsigned char*) /data/src/10.5/sql/handler.cc:3060
 
    #9 0x56024b4805f3 in select_unit_ext::send_eof() /data/src/10.5/sql/sql_union.cc:832
 
    #10 0x56024b2b2a66 in JOIN::exec_inner() /data/src/10.5/sql/sql_select.cc:4329
 
    #11 0x56024b2b149b in JOIN::exec() /data/src/10.5/sql/sql_select.cc:4231
 
    #12 0x56024b48d20f in st_select_lex_unit::exec() /data/src/10.5/sql/sql_union.cc:2196
 
    #13 0x56024b479267 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:41
 
    #14 0x56024b28aac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #15 0x56024b20b1b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #16 0x56024b1fbb25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #17 0x56024b214f29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #18 0x56024b1ef78a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #19 0x56024b1ec60d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #20 0x56024b5a9ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #21 0x56024b5a9542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #22 0x56024c19bd50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #23 0x7f6d1adfb4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7f6d1b0d2d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x56024cc7a455 in sf_malloc /data/src/10.5/mysys/safemalloc.c:118
 
    #2 0x56024cc4b5d8 in my_malloc /data/src/10.5/mysys/my_malloc.c:88
 
    #3 0x56024cc4baed in my_realloc /data/src/10.5/mysys/my_malloc.c:139
 
    #4 0x56024bfea646 in _ma_alloc_buffer /data/src/10.5/storage/maria/ma_open.c:1247
 
    #5 0x56024bfe18e2 in maria_clone_internal /data/src/10.5/storage/maria/ma_open.c:206
 
    #6 0x56024bfe9f1f in maria_open /data/src/10.5/storage/maria/ma_open.c:1167
 
    #7 0x56024bf3ae3b in ha_maria::open(char const*, int, unsigned int) /data/src/10.5/storage/maria/ha_maria.cc:1153
 
    #8 0x56024b9588b4 in handler::ha_open(TABLE*, char const*, int, unsigned int, st_mem_root*, List<String>*) /data/src/10.5/sql/handler.cc:2977
 
    #9 0x56024b319bc5 in open_tmp_table(TABLE*) /data/src/10.5/sql/sql_select.cc:19398
 
    #10 0x56024b31f679 in instantiate_tmp_table(TABLE*, st_key*, st_maria_columndef*, st_maria_columndef**, unsigned long long) /data/src/10.5/sql/sql_select.cc:20296
 
    #11 0x56024b31683b in Create_tmp_table::finalize(THD*, TABLE*, TMP_TABLE_PARAM*, bool, bool) /data/src/10.5/sql/sql_select.cc:19099
 
    #12 0x56024b317a2a in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /data/src/10.5/sql/sql_select.cc:19196
 
    #13 0x56024b47bfe5 in select_unit::create_result_table(THD*, List<Item>*, bool, unsigned long long, st_mysql_const_lex_string const*, bool, bool, bool, unsigned int) /data/src/10.5/sql/sql_union.cc:329
 
    #14 0x56024b487fec in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /data/src/10.5/sql/sql_union.cc:1722
 
    #15 0x56024b479244 in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /data/src/10.5/sql/sql_union.cc:39
 
    #16 0x56024b28aac9 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5/sql/sql_select.cc:407
 
    #17 0x56024b20b1b6 in execute_sqlcom_select /data/src/10.5/sql/sql_parse.cc:6210
 
    #18 0x56024b1fbb25 in mysql_execute_command(THD*) /data/src/10.5/sql/sql_parse.cc:3932
 
    #19 0x56024b214f29 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5/sql/sql_parse.cc:7994
 
    #20 0x56024b1ef78a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5/sql/sql_parse.cc:1868
 
    #21 0x56024b1ec60d in do_command(THD*) /data/src/10.5/sql/sql_parse.cc:1349
 
    #22 0x56024b5a9ad3 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5/sql/sql_connect.cc:1410
 
    #23 0x56024b5a9542 in handle_one_connection /data/src/10.5/sql/sql_connect.cc:1312
 
    #24 0x56024c19bd50 in pfs_spawn_thread /data/src/10.5/storage/perfschema/pfs.cc:2201
 
    #25 0x7f6d1adfb4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f6d1b041f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x56024c196e12 in my_thread_create /data/src/10.5/storage/perfschema/my_thread.h:38
 
    #2 0x56024c19c13f in pfs_spawn_thread_v1 /data/src/10.5/storage/perfschema/pfs.cc:2252
 
    #3 0x56024af34377 in inline_mysql_thread_create /data/src/10.5/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x56024af47189 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5/sql/mysqld.cc:6020
 
    #5 0x56024af476fe in create_new_thread(CONNECT*) /data/src/10.5/sql/mysqld.cc:6079
 
    #6 0x56024af478bb in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5/sql/mysqld.cc:6144
 
    #7 0x56024af4829e in handle_connections_sockets() /data/src/10.5/sql/mysqld.cc:6271
 
    #8 0x56024af46aef in mysqld_main(int, char**) /data/src/10.5/sql/mysqld.cc:5666
 
    #9 0x56024af32b6f in main /data/src/10.5/sql/main.cc:25
 
    #10 0x7f6d18e672e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5/strings/ctype-simple.c:182 in my_strnncollsp_simple
 
Shadow bytes around the buggy address:
 
  0x0c247ffff4f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c247ffff500: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c247ffff510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c247ffff520: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
 
  0x0c247ffff530: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
=>0x0c247ffff540: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
 
  0x0c247ffff550: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c247ffff560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
 
  0x0c247ffff570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c247ffff580: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
 
  0x0c247ffff590: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==23139==ABORTING

Reproducible with at least MyISAM, InnoDB, Aria.
No obvious problem on my non-ASAN builds, but ASAN non-debug fails the same way as above, so it's probably not just a debug issue.

 Comments   
Comment by Elena Stepanova [ 2020-08-22 ]

Sometimes the stack trace looks simpler and ends in _ma_unique_comp already:

10.5 6708e67a

 
==38053==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200030fcd5 at pc 0x55631db2efdd bp 0x7faf1443de30 sp 0x7faf1443de20
 
READ of size 1 at 0x61200030fcd5 thread T29
 
    #0 0x55631db2efdc in _ma_unique_comp /home/mdbe/enterprise-tests/src/10.5/storage/maria/ma_unique.c:254
 
    #1 0x55631dcabda5 in maria_update /home/mdbe/enterprise-tests/src/10.5/storage/maria/ma_update.c:68
 
    #2 0x55631db54bde in ha_maria::update_row(unsigned char const*, unsigned char const*) /home/mdbe/enterprise-tests/src/10.5/storage/maria/ha_maria.cc:2362
 
    #3 0x55631ce90312 in handler::ha_update_tmp_row(unsigned char const*, unsigned char*) /home/mdbe/enterprise-tests/src/10.5/sql/sql_class.h:7035
 
    #4 0x55631cfd6a3c in select_unit_ext::send_eof() /home/mdbe/enterprise-tests/src/10.5/sql/sql_union.cc:861
 
    #5 0x55631ce162f7 in return_zero_rows /home/mdbe/enterprise-tests/src/10.5/sql/sql_select.cc:14433
 
    #6 0x55631cdccb55 in JOIN::exec_inner() /home/mdbe/enterprise-tests/src/10.5/sql/sql_select.cc:4373
 
    #7 0x55631cdcad6b in JOIN::exec() /home/mdbe/enterprise-tests/src/10.5/sql/sql_select.cc:4231
 
    #8 0x55631cfe3f37 in st_select_lex_unit::exec() /home/mdbe/enterprise-tests/src/10.5/sql/sql_union.cc:2216
 
    #9 0x55631cfcf15c in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /home/mdbe/enterprise-tests/src/10.5/sql/sql_union.cc:41
 
    #10 0x55631cda0c90 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/mdbe/enterprise-tests/src/10.5/sql/sql_select.cc:407
 
    #11 0x55631cd0d2c5 in execute_sqlcom_select /home/mdbe/enterprise-tests/src/10.5/sql/sql_parse.cc:6210
 
    #12 0x55631ccfc53d in mysql_execute_command(THD*) /home/mdbe/enterprise-tests/src/10.5/sql/sql_parse.cc:3932
 
    #13 0x55631cd1841c in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/mdbe/enterprise-tests/src/10.5/sql/sql_parse.cc:7994
 
    #14 0x55631cceeeb6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/mdbe/enterprise-tests/src/10.5/sql/sql_parse.cc:1867
 
    #15 0x55631cceb72a in do_command(THD*) /home/mdbe/enterprise-tests/src/10.5/sql/sql_parse.cc:1348
 
    #16 0x55631d11e315 in do_handle_one_connection(CONNECT*, bool) /home/mdbe/enterprise-tests/src/10.5/sql/sql_connect.cc:1410
 
    #17 0x55631d11dc6e in handle_one_connection /home/mdbe/enterprise-tests/src/10.5/sql/sql_connect.cc:1312
 
    #18 0x55631ddea790 in pfs_spawn_thread /home/mdbe/enterprise-tests/src/10.5/storage/perfschema/pfs.cc:2201
 
    #19 0x7faf642916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
    #20 0x7faf63477a3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)

Same goes for MSAN variation of the error:

10.8 1f5fc7b74

 
==45603==WARNING: MemorySanitizer: use-of-uninitialized-value
 
    #0 0x55b240b38295 in _ma_unique_comp /home/jenkins/10.8/storage/maria/ma_unique.c:254:6
 
    #1 0x55b240d3d15d in maria_update /home/jenkins/10.8/storage/maria/ma_update.c:68:9
 
    #2 0x55b240b69316 in ha_maria::update_row(unsigned char const*, unsigned char const*) /home/jenkins/10.8/storage/maria/ha_maria.cc:2418:10
 
    #3 0x55b23f7c3e37 in handler::ha_update_tmp_row(unsigned char const*, unsigned char*) /home/jenkins/10.8/sql/sql_class.h:7345:3
 
    #4 0x55b23f9714fe in select_unit_ext::send_eof() /home/jenkins/10.8/sql/sql_union.cc:851:27
 
    #5 0x55b23f6de104 in return_zero_rows(JOIN*, select_result*, List<TABLE_LIST>&, List<Item>&, bool, unsigned long long, char const*, Item*, List<Item>&) /home/jenkins/10.8/sql/sql_select.cc:14808:15
 
    #6 0x55b23f6de104 in JOIN::exec_inner() /home/jenkins/10.8/sql/sql_select.cc:4656:14
 
    #7 0x55b23f6dbc9c in JOIN::exec() /home/jenkins/10.8/sql/sql_select.cc:4513:3
 
    #8 0x55b23f964841 in st_select_lex_unit::exec() /home/jenkins/10.8/sql/sql_union.cc:2235:14
 
    #9 0x55b23f95b0db in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /home/jenkins/10.8/sql/sql_union.cc:42:16
 
    #10 0x55b23f6421b9 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/jenkins/10.8/sql/sql_select.cc:535:10
 
    #11 0x55b23f518fd1 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/jenkins/10.8/sql/sql_parse.cc:6252:12
 
    #12 0x55b23f4f2e3d in mysql_execute_command(THD*, bool) /home/jenkins/10.8/sql/sql_parse.cc:3943:12
 
    #13 0x55b23f4db037 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/jenkins/10.8/sql/sql_parse.cc:8027:18
 
    #14 0x55b23f4cf1cd in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/jenkins/10.8/sql/sql_parse.cc:1894:7
 
    #15 0x55b23f4dd44c in do_command(THD*, bool) /home/jenkins/10.8/sql/sql_parse.cc:1402:17
 
    #16 0x55b23fb4f4e6 in do_handle_one_connection(CONNECT*, bool) /home/jenkins/10.8/sql/sql_connect.cc:1418:11
 
    #17 0x55b23fb4ea35 in handle_one_connection /home/jenkins/10.8/sql/sql_connect.cc:1312:5
 
    #18 0x55b240ebcd71 in pfs_spawn_thread /home/jenkins/10.8/storage/perfschema/pfs.cc:2201:3
 
    #19 0x7fd6e5283608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
 
    #20 0x7fd6e4f88292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
 
 
 
  Uninitialized value was created by a heap deallocation
 
    #0 0x55b23eec6a00 in realloc (/home/jenkins/10.8/sql/mariadbd+0x72aa00)
 
    #1 0x55b242275c6e in my_realloc /home/jenkins/10.8/mysys/my_malloc.c:151:7
 
 
 
SUMMARY: MemorySanitizer: use-of-uninitialized-value /home/jenkins/10.8/storage/maria/ma_unique.c:254:6 in _ma_unique_comp

Comment by Elena Stepanova [ 2022-01-20 ]

Depending on the character set/collation in use, the corresponding part of the stack trace can be quite different. For example, the same test case from the description but with CHARACTER SET ucs2 COLLATE ucs2_latvian_ci gives us

10.5 7259b299

 
=================================================================
 
==3451556==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000014f85 at pc 0x55776eeec2ad bp 0x7f7c9adf3060 sp 0x7f7c9adf3058
 
READ of size 1 at 0x60e000014f85 thread T5
 
    #0 0x55776eeec2ac in my_mb_wc_ucs2_quick /data/src/10.5/strings/ctype-ucs2.h:27
 
    #1 0x55776eeec2ac in my_uca_scanner_next_ucs2 /data/src/10.5/strings/ctype-uca.ic:84
 
    #2 0x55776eeec2ac in my_uca_scanner_next_ucs2 /data/src/10.5/strings/ctype-uca.ic:40
 
    #3 0x55776eeec2ac in my_uca_strnncollsp_onelevel_ucs2 /data/src/10.5/strings/ctype-uca.ic:307
 
    #4 0x55776e2dc336 in _ma_unique_comp /data/src/10.5/storage/maria/ma_unique.c:243
 
    #5 0x55776e3cf3fc in maria_update /data/src/10.5/storage/maria/ma_update.c:68
 
...

Comment by Alice Sherepa [ 2022-04-26 ]

preview-10.9-MDEV-27021-explain b904307368298cc2fa2fcb2ecdc0

 
==69684==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800031b514 at pc 0x5619ce09ac07 bp 0x7f551a30ce80 sp 0x7f551a30ce78
 
READ of size 4 at 0x61800031b514 thread T27
 
    #0 0x5619ce09ac06 in my_strcoll_ascii_4bytes_found /git/10.9/strings/ctype-ascii.h:111
 
    #1 0x5619ce09c6d0 in my_strnncollsp_utf8mb3_general_ci /git/10.9/strings/strcoll.inl:321
 
    #2 0x5619cdf7f711 in my_ci_strnncollsp /git/10.9/include/m_ctype.h:1148
 
    #3 0x5619cdf7f75a in ha_compare_text /git/10.9/mysys/my_compare.c:27
 
    #4 0x5619cd0f3633 in _ma_unique_comp /git/10.9/storage/maria/ma_unique.c:243
 
    #5 0x5619cd266033 in maria_update /git/10.9/storage/maria/ma_update.c:68
 
    #6 0x5619cd118e50 in ha_maria::update_row(unsigned char const*, unsigned char const*) /git/10.9/storage/maria/ha_maria.cc:2418
 
    #7 0x5619cc472a19 in handler::ha_update_tmp_row(unsigned char const*, unsigned char*) /git/10.9/sql/sql_class.h:7352
 
    #8 0x5619cc5bec7e in select_unit_ext::send_eof() /git/10.9/sql/sql_union.cc:851
 
    #9 0x5619cc3f7c83 in return_zero_rows /git/10.9/sql/sql_select.cc:14853
 
    #10 0x5619cc3af015 in JOIN::exec_inner() /git/10.9/sql/sql_select.cc:4697
 
    #11 0x5619cc3ad23f in JOIN::exec() /git/10.9/sql/sql_select.cc:4554
 
    #12 0x5619cc5cc5a8 in st_select_lex_unit::exec() /git/10.9/sql/sql_union.cc:2235
 
    #13 0x5619cc5b752d in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /git/10.9/sql/sql_union.cc:42
 
    #14 0x5619cc381cb0 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.9/sql/sql_select.cc:560
 
    #15 0x5619cc2adf96 in execute_sqlcom_select /git/10.9/sql/sql_parse.cc:6255
 
    #16 0x5619cc29cacd in mysql_execute_command(THD*, bool) /git/10.9/sql/sql_parse.cc:3945
 
    #17 0x5619cc2b8d7a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.9/sql/sql_parse.cc:8030
 
    #18 0x5619cc28f607 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /git/10.9/sql/sql_parse.cc:1895
 
    #19 0x5619cc28c2fc in do_command(THD*, bool) /git/10.9/sql/sql_parse.cc:1403
 
    #20 0x5619cc71f721 in do_handle_one_connection(CONNECT*, bool) /git/10.9/sql/sql_connect.cc:1418
 
    #21 0x5619cc71efa6 in handle_one_connection /git/10.9/sql/sql_connect.cc:1312
 
    #22 0x5619cd3a1420 in pfs_spawn_thread /git/10.9/storage/perfschema/pfs.cc:2201
 
    #23 0x7f553b8fbfa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
    #24 0x7f553b504efe in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf8efe)
 
 
 
0x61800031b514 is located 148 bytes inside of 844-byte region [0x61800031b480,0x61800031b7cc)
 
freed by thread T27 here:
 
    #0 0x7f553be0efb0 in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0xe8fb0)
 
    #1 0x5619cdfbb2ad in free_memory /git/10.9/mysys/safemalloc.c:297
 
    #2 0x5619cdfba720 in sf_realloc /git/10.9/mysys/safemalloc.c:193
 
    #3 0x5619cdf892ef in my_realloc /git/10.9/mysys/my_malloc.c:151
 
    #4 0x5619cd1c70d7 in _ma_alloc_buffer /git/10.9/storage/maria/ma_open.c:1253
 
    #5 0x5619cd0ed9ec in _ma_read_rnd_dynamic_record /git/10.9/storage/maria/ma_dynrec.c:1876
 
    #6 0x5619cd20c535 in maria_scan /git/10.9/storage/maria/ma_scan.c:54
 
    #7 0x5619cd11a5f8 in ha_maria::rnd_next(unsigned char*) /git/10.9/storage/maria/ha_maria.cc:2564
 
    #8 0x5619ccb4faa5 in handler::ha_rnd_next(unsigned char*) /git/10.9/sql/handler.cc:3393
 
    #9 0x5619cc5be897 in select_unit_ext::send_eof() /git/10.9/sql/sql_union.cc:822
 
    #10 0x5619cc3f7c83 in return_zero_rows /git/10.9/sql/sql_select.cc:14853
 
    #11 0x5619cc3af015 in JOIN::exec_inner() /git/10.9/sql/sql_select.cc:4697
 
    #12 0x5619cc3ad23f in JOIN::exec() /git/10.9/sql/sql_select.cc:4554
 
    #13 0x5619cc5cc5a8 in st_select_lex_unit::exec() /git/10.9/sql/sql_union.cc:2235
 
    #14 0x5619cc5b752d in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /git/10.9/sql/sql_union.cc:42
 
    #15 0x5619cc381cb0 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.9/sql/sql_select.cc:560
 
    #16 0x5619cc2adf96 in execute_sqlcom_select /git/10.9/sql/sql_parse.cc:6255
 
    #17 0x5619cc29cacd in mysql_execute_command(THD*, bool) /git/10.9/sql/sql_parse.cc:3945
 
    #18 0x5619cc2b8d7a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.9/sql/sql_parse.cc:8030
 
    #19 0x5619cc28f607 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /git/10.9/sql/sql_parse.cc:1895
 
    #20 0x5619cc28c2fc in do_command(THD*, bool) /git/10.9/sql/sql_parse.cc:1403
 
    #21 0x5619cc71f721 in do_handle_one_connection(CONNECT*, bool) /git/10.9/sql/sql_connect.cc:1418
 
    #22 0x5619cc71efa6 in handle_one_connection /git/10.9/sql/sql_connect.cc:1312
 
    #23 0x5619cd3a1420 in pfs_spawn_thread /git/10.9/storage/perfschema/pfs.cc:2201
 
    #24 0x7f553b8fbfa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
 
 
previously allocated by thread T27 here:
 
    #0 0x7f553be0f330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
 
    #1 0x5619cdfba142 in sf_malloc /git/10.9/mysys/safemalloc.c:126
 
    #2 0x5619cdfba6a7 in sf_realloc /git/10.9/mysys/safemalloc.c:188
 
    #3 0x5619cdf892ef in my_realloc /git/10.9/mysys/my_malloc.c:151
 
    #4 0x5619cd1c70d7 in _ma_alloc_buffer /git/10.9/storage/maria/ma_open.c:1253
 
    #5 0x5619cd0eb2e7 in _ma_read_dynamic_record /git/10.9/storage/maria/ma_dynrec.c:1526
 
    #6 0x5619cd1258e9 in ha_maria::find_unique_row(unsigned char*, unsigned int) /git/10.9/storage/maria/ha_maria.cc:4203
 
    #7 0x5619cc5bca0b in select_unit_ext::send_data(List<Item>&) /git/10.9/sql/sql_union.cc:639
 
    #8 0x5619cc471668 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /git/10.9/sql/sql_class.h:5612
 
    #9 0x5619cc42d858 in end_send /git/10.9/sql/sql_select.cc:22359
 
    #10 0x5619cc7e3405 in JOIN_CACHE::generate_full_extensions(unsigned char*) /git/10.9/sql/sql_join_cache.cc:2478
 
    #11 0x5619cc7e2ca2 in JOIN_CACHE::join_matching_records(bool) /git/10.9/sql/sql_join_cache.cc:2370
 
    #12 0x5619cc7e1359 in JOIN_CACHE::join_records(bool) /git/10.9/sql/sql_join_cache.cc:2151
 
    #13 0x5619cc42346b in sub_select_cache(JOIN*, st_join_table*, bool) /git/10.9/sql/sql_select.cc:20897
 
    #14 0x5619cc423a75 in sub_select(JOIN*, st_join_table*, bool) /git/10.9/sql/sql_select.cc:21068
 
    #15 0x5619cc422439 in do_select /git/10.9/sql/sql_select.cc:20670
 
    #16 0x5619cc3afcfd in JOIN::exec_inner() /git/10.9/sql/sql_select.cc:4776
 
    #17 0x5619cc3ad23f in JOIN::exec() /git/10.9/sql/sql_select.cc:4554
 
    #18 0x5619cc5cc5a8 in st_select_lex_unit::exec() /git/10.9/sql/sql_union.cc:2235
 
    #19 0x5619cc5b752d in mysql_union(THD*, LEX*, select_result*, st_select_lex_unit*, unsigned long) /git/10.9/sql/sql_union.cc:42
 
    #20 0x5619cc381cb0 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.9/sql/sql_select.cc:560
 
    #21 0x5619cc2adf96 in execute_sqlcom_select /git/10.9/sql/sql_parse.cc:6255
 
    #22 0x5619cc29cacd in mysql_execute_command(THD*, bool) /git/10.9/sql/sql_parse.cc:3945
 
    #23 0x5619cc2b8d7a in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.9/sql/sql_parse.cc:8030
 
    #24 0x5619cc28f607 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /git/10.9/sql/sql_parse.cc:1895
 
    #25 0x5619cc28c2fc in do_command(THD*, bool) /git/10.9/sql/sql_parse.cc:1403
 
    #26 0x5619cc71f721 in do_handle_one_connection(CONNECT*, bool) /git/10.9/sql/sql_connect.cc:1418
 
    #27 0x5619cc71efa6 in handle_one_connection /git/10.9/sql/sql_connect.cc:1312
 
    #28 0x5619cd3a1420 in pfs_spawn_thread /git/10.9/storage/perfschema/pfs.cc:2201
 
    #29 0x7f553b8fbfa2 in start_thread /build/glibc-fWwxX8/glibc-2.28/nptl/pthread_create.c:486
 
 
 
Thread T27 created by T0 here:
 
    #0 0x7f553bd76db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
 
    #1 0x5619cd39cf40 in my_thread_create /git/10.9/storage/perfschema/my_thread.h:52
 
    #2 0x5619cd3a180f in pfs_spawn_thread_v1 /git/10.9/storage/perfschema/pfs.cc:2252
 
    #3 0x5619cbee8546 in inline_mysql_thread_create /git/10.9/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x5619cbeff9d4 in create_thread_to_handle_connection(CONNECT*) /git/10.9/sql/mysqld.cc:5975
 
    #5 0x5619cbf0003f in create_new_thread(CONNECT*) /git/10.9/sql/mysqld.cc:6034
 
    #6 0x5619cbf003b1 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.9/sql/mysqld.cc:6096
 
    #7 0x5619cbf00db0 in handle_connections_sockets() /git/10.9/sql/mysqld.cc:6220
 
    #8 0x5619cbeff23b in mysqld_main(int, char**) /git/10.9/sql/mysqld.cc:5870
 
    #9 0x5619cbee7794 in main /git/10.9/sql/main.cc:34
 
    #10 0x7f553b43009a in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /git/10.9/strings/ctype-ascii.h:111 in my_strcoll_ascii_4bytes_found
 
Shadow bytes around the buggy address:
 
  0x0c308005b650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c308005b660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c308005b670: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
 
  0x0c308005b680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c308005b690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c308005b6a0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c308005b6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c308005b6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c308005b6d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c308005b6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c308005b6f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==69684==ABORTING
 
SHUTDOWN_1649676612


#1 0x55d73af0ebe9 in my_strnncoll_binary /git/10.9/strings/ctype-bin.c:89
 
#2 0x55d73af0ec6c in my_strnncollsp_binary /git/10.9/strings/ctype-bin.c:128
 
#3 0x55d7399fbb28 in charset_info_st::strnncollsp(unsigned char const*, unsigned long, unsigned char const*, unsigned long) const /git/10.9/include/m_ctype.h:859
 
  ...

Generated at Thu Feb 08 09:22:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.