[#MDEV-32401] expression cache? Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item

CREATE TEMPORARY TABLE t0 ( c33 TEXT NOT NULL , INDEX i0 ( c33 ( 24 ) ) ) ;

INSERT INTO t0 VALUES ( 71 ) , ( -79 ) ;

ALTER TABLE t0 ADD COLUMN c23 INT AFTER c33 ;

INSERT INTO t0 VALUES ( 29 , 102 ) , ( -7962263225263025638 , 82 ) ;

SELECT t1 . c24 AS c21 FROM ( SELECT c33 AS c24 FROM t0 ) AS t1 JOIN t0 ON ( SELECT ORD ( + EXISTS ( SELECT -52 AS c10 UNION SELECT + BIT_OR( c24 ) | LENGTH ( '#-_ic<JFkjm`vI9%=W/R?Ij]H^LQkfP PUq9' ) AS c44 FROM t0 WHERE c33 < -76 AND c33 < 0 AND c24 < -113 GROUP BY c33 ) ) << VARIANCE( c24 ) AS c16 FROM t0 GROUP BY c24 LIMIT 1 ) * CONVERT ( 115 , CHAR ) % RAND ( ) * RADIANS ( t0 . c33 ) / LTRIM ( -85 ) << RAND ( ) / RAND ( t0 . c23 ) << t0 . c33 & 'g*$\'>N`@R7_N[%m)v:3t<~qv_4oU{ac@' - SUBSTRING( 63 , 'D_Vj76G?l =>;y>w+9RI4_#xLEzC><!"@}:?B;:7ow9xM`' , '4Xl`2eL6&Ky&zY.@(8$nR%+c$FCP\'AH}G$|MI&\'#?4"{:(d-QPco]ZQ' ) - INSTR ( ROUND ( -5073911722588624130 , 61 ) SOUNDS LIKE TRIM( TRAILING FROM -98 ) AND RAND ( ) , -101 < RAND ( ) ) ^ DEGREES ( 3091623748526794021 ) + RAND ( ) = t0 . c23 ;

ASAN info:

=================================================================

==81176==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190001083c0 at pc 0x000001604c57 bp 0x7fffd1c121e0 sp 0x7fffd1c121d8

READ of size 8 at 0x6190001083c0 thread T16

    #0 0x1604c56 in Item_sum_bit::reset_field() /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3

    #1 0xc98d3f in init_tmptable_sum_functions(Item_sum**) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763:11

    #2 0xc98d3f in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138:3

    #3 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #4 0xbe340e in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23481:9

    #5 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #6 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #7 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #8 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #9 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #10 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #11 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #12 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #13 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #14 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #15 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #16 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #17 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

    #18 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27

    #19 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #20 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12

    #21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #22 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #23 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #24 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #25 0x1318ed1 in Item::val_decimal_from_int(my_decimal*) /home/wx/mariadb-11.3.0/sql/item.cc:343:16

    #26 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #27 0x1413a98 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846:10

    #28 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #29 0x13ae82e in Arg_comparator::compare_int_unsigned_signed() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015:37

    #30 0x13b5ea1 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104:33

    #31 0x13b5ea1 in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780:18

    #32 0xf99b3f in SQL_SELECT::skip_record(THD*) /home/wx/mariadb-11.3.0/sql/opt_range.h:1914:13

    #33 0xf99b3f in JOIN_CACHE::check_match(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560:45

    #34 0xf8f7d8 in JOIN_CACHE::generate_full_extensions(unsigned char*) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503:7

    #35 0xf8f321 in JOIN_CACHE::join_matching_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403:13

    #36 0xf8e694 in JOIN_CACHE::join_records(bool) /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158:9

    #37 0xc9da16 in sub_select_cache(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192:16

    #38 0xc4536b in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963:14

    #39 0xc4536b in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #40 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #41 0xbe5127 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249:21

    #42 0xbe4595 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628:10

    #43 0xb3df17 in execute_sqlcom_select(THD*, TABLE_LIST*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013:12

    #44 0xb2cd50 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912:12

    #45 0xb1fe78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734:18

    #46 0xb19068 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893:7

    #47 0xb20b70 in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406:17

    #48 0xf03475 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445:11

    #49 0xf02eb8 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347:5

    #50 0x1a00c1a in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201:3

    #51 0x7ffff79f7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

    #52 0x7ffff770f132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6190001083c0 is located 576 bytes inside of 1040-byte region [0x619000108180,0x619000108590)

freed by thread T16 here:

    #0 0x7ca37d in free (/usr/local/mysql/bin/mariadbd+0x7ca37d)

    #1 0x2290b64 in root_free /home/wx/mariadb-11.3.0/mysys/my_alloc.c:83:5

    #2 0x2290b64 in free_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:515:7

    #3 0xc3da3d in free_tmp_table(THD*, TABLE*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22713:3

    #4 0xff1235 in Expression_cache_tmptable::disable_cache() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:62:3

    #5 0xff1235 in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:176:3

    #6 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19

    #7 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5

    #8 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22

    #9 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24

    #10 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #11 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #12 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #13 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16

    #14 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30

    #15 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11

    #16 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7

    #17 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #18 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9

    #19 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #20 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #21 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #22 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #23 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #24 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #25 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #26 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #27 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #28 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #29 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #30 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #31 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

    #32 0x145e1d5 in Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*) /home/wx/mariadb-11.3.0/sql/item_func.cc:859:27

    #33 0x10b6a7f in VDec::VDec(Item*) /home/wx/mariadb-11.3.0/sql/sql_type.cc:293:16

    #34 0x14c3c28 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2202:12

    #35 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #36 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #37 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #38 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

previously allocated by thread T16 here:

    #0 0x7ca5fd in malloc (/usr/local/mysql/bin/mariadbd+0x7ca5fd)

    #1 0x22a6308 in my_malloc /home/wx/mariadb-11.3.0/mysys/my_malloc.c:89:29

    #2 0x228fff9 in root_alloc /home/wx/mariadb-11.3.0/mysys/my_alloc.c:71:10

    #3 0x228fff9 in alloc_root /home/wx/mariadb-11.3.0/mysys/my_alloc.c:339:29

    #4 0x10f83ec in Field::operator new(unsigned long, st_mem_root*) /home/wx/mariadb-11.3.0/sql/field.h:771:12

    #5 0x10f83ec in Type_handler_long::make_table_field_from_def(TABLE_SHARE*, st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Bit_addr const&, Column_definition_attributes const*, unsigned int) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:8134:10

    #6 0x10cac4a in Type_handler_int_result::make_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE_SHARE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3573:10

    #7 0x110c447 in Type_handler::make_and_init_table_field(st_mem_root*, st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /home/wx/mariadb-11.3.0/sql/sql_type.cc:3558:17

    #8 0x110c447 in Item::tmp_table_field_from_field_type(st_mem_root*, TABLE*) /home/wx/mariadb-11.3.0/sql/item.h:914:15

    #9 0x110c447 in Item::create_tmp_field_ex_simple(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:935:12

    #10 0x110c447 in Item_cache::create_tmp_field_ex(st_mem_root*, TABLE*, Tmp_field_src*, Tmp_field_param const*) /home/wx/mariadb-11.3.0/sql/item.h:7119:12

    #11 0xc8940f in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:20823:24

    #12 0xc8c548 in Create_tmp_table::add_fields(THD*, TABLE*, TMP_TABLE_PARAM*, List<Item>&) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21261:9

    #13 0xc36790 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:21920:13

    #14 0xff0d1e in Expression_cache_tmptable::init() /home/wx/mariadb-11.3.0/sql/sql_expression_cache.cc:121:22

    #15 0x136b52a in Item_cache_wrapper::init_on_demand() /home/wx/mariadb-11.3.0/sql/item.cc:8775:19

    #16 0x136b52a in Item_cache_wrapper::check_cache() /home/wx/mariadb-11.3.0/sql/item.cc:8899:5

    #17 0x136b52a in Item_cache_wrapper::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:9017:22

    #18 0x1479db3 in Item_func_ord::val_int() /home/wx/mariadb-11.3.0/sql/item_func.cc:3283:24

    #19 0x14c39f5 in Item::to_longlong_null() /home/wx/mariadb-11.3.0/sql/item.h:1452:18

    #20 0x14c39f5 in Func_handler_shift_left_int_to_ulonglong::to_longlong_null(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.cc:2189:34

    #21 0x1413061 in Item_handled_func::Handler_int::val_int(Item_handled_func*) const /home/wx/mariadb-11.3.0/sql/item_func.h:696:26

    #22 0x13552b7 in Item::save_int_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6843:16

    #23 0x13554a8 in Item::save_in_field(Field*, bool) /home/wx/mariadb-11.3.0/sql/item.cc:6853:30

    #24 0xc98fc5 in copy_funcs(Item**, THD const*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:28843:11

    #25 0xc98fc5 in end_unique_update(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:25140:7

    #26 0xc9e283 in evaluate_join_record(JOIN*, st_join_table*, int) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677:11

    #27 0xbe3395 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444:9

    #28 0xc45120 in do_select(JOIN*, Procedure*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961:14

    #29 0xc45120 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941:50

    #30 0xc428e8 in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718:8

    #31 0x15d8105 in subselect_single_select_engine::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159:23

    #32 0x15b3edb in Item_subselect::exec() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812:21

    #33 0x15b9772 in Item_singlerow_subselect::val_int() /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462:8

    #34 0x1376611 in Item_cache_int::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10161:19

    #35 0x136b102 in Item_cache_wrapper::cache() /home/wx/mariadb-11.3.0/sql/item.cc:8915:15

    #36 0x136b102 in Item_cache_wrapper::val_real() /home/wx/mariadb-11.3.0/sql/item.cc:8996:3

    #37 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #38 0x14682f0 in Item_func_mod::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1700:26

    #39 0x14641a3 in Item_func_mul::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1370:26

    #40 0x1465563 in Item_func_div::real_op() /home/wx/mariadb-11.3.0/sql/item_func.cc:1502:26

Thread T16 created by T0 here:

    #0 0x7b502a in pthread_create (/usr/local/mysql/bin/mariadbd+0x7b502a)

    #1 0x1a00edd in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52:10

    #2 0x1a00edd in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252:15

    #3 0x80e649 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139:11

    #4 0x80e649 in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150:19

    #5 0x80f608 in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212:3

    #6 0x80f608 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274:5

    #7 0x80caa8 in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398:9

    #8 0x8051de in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045:3

    #9 0x7ffff7614082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949:3 in Item_sum_bit::reset_field()

Shadow bytes around the buggy address:

  0x0c3280019020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280019030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3280019070: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd

  0x0c3280019080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c32800190c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==81176==ABORTING

Thread 16 "mariadbd" received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fffe011a700 (LWP 45883)]

0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)

    at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949

2949	  int8store(result_field->ptr, bits);

#0  0x00005555560be1d9 in Item_sum_bit::reset_field (this=0x7fff94093470)

    at /home/wx/mariadb-11.3.0/sql/item_sum.cc:2949

#1  0x0000555555dda6ad in init_tmptable_sum_functions (func_ptr=0x7fff94079d50)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:28763

#2  end_unique_update (join=0x7fff94076e60, join_tab=0x7fff94085b88,

    end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:25138

#3  0x0000555555dad6d4 in evaluate_join_record (join=join@entry=0x7fff94076e60,

    join_tab=join_tab@entry=0x7fff94085710, error=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23677

#4  0x0000555555dbf7fb in sub_select (join=0x7fff94076e60, join_tab=0x7fff94085710,

    end_of_records=false) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444

#5  0x0000555555df19b2 in do_select (procedure=<optimized out>, join=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961

#6  JOIN::exec_inner (this=this@entry=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941

#7  0x0000555555df1d78 in JOIN::exec (this=0x7fff94076e60)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718

#8  0x00005555560b1422 in subselect_single_select_engine::exec (this=0x7fff940964c0)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:4159

#9  0x00005555560b040c in Item_subselect::exec (this=0x7fff94096330)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:812

#10 0x00005555560afd03 in Item_singlerow_subselect::val_int (this=0x7fff94096330)

    at /home/wx/mariadb-11.3.0/sql/item_subselect.cc:1462

#11 0x0000555555fefb79 in Item_cache_int::cache_value (this=0x7fff9408ae98)

    at /home/wx/mariadb-11.3.0/sql/item.cc:10161

#12 0x000055555600536c in Item_cache_wrapper::cache (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8915

#13 Item_cache_wrapper::val_real (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8996

#14 Item_cache_wrapper::val_real (this=0x7fff9408adf0)

    at /home/wx/mariadb-11.3.0/sql/item.cc:8979

#15 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94096688)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370

#16 0x000055555604d0b1 in Item_func_mod::real_op (this=0x7fff94071bb8)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1700

#17 0x000055555604b141 in Item_func_mul::real_op (this=0x7fff94071e90)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1370

c#18 0x000055555604cd41 in Item_func_div::real_op (this=0x7fff94072100)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:1502

#19 0x000055555604e29a in Item_func_hybrid_field_type::val_decimal_from_real_op (

    this=0x7fff94072100, dec=0x7fffe01180d8) at /home/wx/mariadb-11.3.0/sql/item_func.cc:859

#20 0x0000555555f2d79f in VDec::VDec (this=0x7fffe01180d0, item=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293

#21 0x000055555605a294 in Func_handler_shift_left_decimal_to_ulonglong::to_longlong_null (

    this=<optimized out>, item=0x7fff94072568)

    at /home/wx/mariadb-11.3.0/sql/item_func.cc:2202

#22 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94072568) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#23 0x0000555556056fd8 in Item::to_longlong_null (this=0x7fff94072568)

    at /home/wx/mariadb-11.3.0/sql/item.h:1452

#24 Func_handler_shift_left_int_to_ulonglong::to_longlong_null (this=<optimized out>,

    item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.cc:2189

#25 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94072750) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#26 0x0000555555ff7aba in Item::val_decimal_from_int (this=0x7fff94072750,

    decimal_value=0x7fffe0118208) at /home/wx/mariadb-11.3.0/sql/item.cc:343

#27 0x0000555555f2d79f in VDec::VDec (this=0x7fffe0118200, item=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_type.cc:293

#28 0x0000555556029e48 in Func_handler_bit_and_dec_to_ulonglong::to_longlong_null (

    this=<optimized out>, item=0x7fff94074228)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:4846

#29 0x0000555556025ab6 in Item_handled_func::Handler_int::val_int (this=<optimized out>,

    item=0x7fff94074228) at /home/wx/mariadb-11.3.0/sql/item_func.h:696

#30 0x00005555560107fd in Arg_comparator::compare_int_unsigned_signed (this=0x7fff940744c8)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1015

#31 0x0000555556010caf in Arg_comparator::compare (this=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104

#32 Item_func_eq::val_int (this=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780

#33 0x0000555555ec7e3c in SQL_SELECT::skip_record (this=<optimized out>, thd=0x7fff94000c58)

    at /home/wx/mariadb-11.3.0/sql/opt_range.h:1914

#34 JOIN_CACHE::check_match (rec_ptr=0x7fff9409679c "\003", this=0x7fff9407ca58)

    at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2560

#35 JOIN_CACHE::generate_full_extensions (this=0x7fff9407ca58, rec_ptr=0x7fff9409679c "\003")

    at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2503

#36 0x0000555555ec8297 in JOIN_CACHE::join_matching_records (this=0x7fff9407ca58,

    skip_last=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2403

#37 0x0000555555ec7bf3 in JOIN_CACHE::join_records (this=this@entry=0x7fff9407ca58,

    skip_last=skip_last@entry=false) at /home/wx/mariadb-11.3.0/sql/sql_join_cache.cc:2158

#38 0x0000555555dbfcba in sub_select_cache (join=0x7fff94075b18, join_tab=0x7fff94083b48,

    end_of_records=<optimized out>) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:23192

#39 0x0000555555df1814 in do_select (procedure=<optimized out>, join=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:22963

#40 JOIN::exec_inner (this=this@entry=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941

#41 0x0000555555df1d78 in JOIN::exec (this=this@entry=0x7fff94075b18)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718

#42 0x0000555555defe1c in mysql_select (thd=thd@entry=0x7fff94000c58, tables=0x7fff94014ed0,

    fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0,

    select_options=<optimized out>, result=0x7fff94074ef8, unit=0x7fff94004ee8,

    select_lex=0x7fff940132d0) at /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249

#43 0x0000555555df0607 in handle_select (thd=thd@entry=0x7fff94000c58,

    lex=lex@entry=0x7fff94004e08, result=result@entry=0x7fff94074ef8,

    setup_tables_done_option=setup_tables_done_option@entry=0)

    at /home/wx/mariadb-11.3.0/sql/sql_select.cc:628

#44 0x0000555555d6de41 in execute_sqlcom_select (thd=thd@entry=0x7fff94000c58,

    all_tables=0x7fff94014ed0) at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013

#45 0x0000555555d7c2aa in mysql_execute_command (thd=thd@entry=0x7fff94000c58,

    is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912

#46 0x0000555555d68c27 in mysql_parse (thd=0x7fff94000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser_state=<optimized out>)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734

#47 0x0000555555d74fdd in dispatch_command (command=command@entry=COM_QUERY,

    thd=thd@entry=0x7fff94000c58, packet=packet@entry=0x7fff94008509 "",

    packet_length=packet_length@entry=792, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_class.h:251

#48 0x0000555555d7721e in do_command (thd=0x7fff94000c58, blocking=blocking@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406

#49 0x0000555555e9a617 in do_handle_one_connection (connect=<optimized out>,

    connect@entry=0x555557e0e4a8, put_in_cache=put_in_cache@entry=true)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445

#50 0x0000555555e9a94d in handle_one_connection (arg=arg@entry=0x555557e0e4a8)

    at /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347

#51 0x00005555561e658d in pfs_spawn_thread (arg=0x555557db7f98)

    at /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201

#52 0x00007ffff7b48609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0

#53 0x00007ffff7719133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

231025 15:08:55 [ERROR] mysqld got signal 11 ;

sql/signal_handler.cc:241(handle_fatal_signal)[0x55d3aa27e4c7]

sql/item_sum.cc:2949(Item_sum_bit::reset_field())[0x55d3aa35bb55]

sql/sql_select.cc:27422(end_unique_update(JOIN*, st_join_table*, bool))[0x55d3aa089d4d]

sql/sql_class.h:4440(THD::get_stmt_da())[0x55d3aa074bcb]

sql/sql_select.cc:22147(sub_select(JOIN*, st_join_table*, bool))[0x55d3aa07ac2f]

sql/sql_select.cc:21670(JOIN::exec_inner())[0x55d3aa0ac267]

sql/sql_select.cc:4633(JOIN::exec())[0x55d3aa0ac5a3]

sql/item_subselect.cc:4116(subselect_single_select_engine::exec())[0x55d3aa34ecf6]

sql/item_subselect.cc:816(Item_subselect::exec())[0x55d3aa34d2aa]

sql/item_subselect.cc:1461(Item_singlerow_subselect::val_int())[0x55d3aa34de5e]

sql/item.cc:10139(Item_cache_int::cache_value())[0x55d3aa293227]

sql/item.cc:8894(Item_cache_wrapper::cache())[0x55d3aa2a7c74]

sql/item_func.cc:1379(Item_func_mul::real_op())[0x55d3aa2f0adc]

sql/item_func.cc:1646(Item_func_mod::real_op())[0x55d3aa2f2bec]

sql/item_func.cc:1379(Item_func_mul::real_op())[0x55d3aa2f0adc]

sql/item_func.cc:1456(Item_func_div::real_op())[0x55d3aa2f297c]

sql/item_func.cc:869(Item_func_hybrid_field_type::val_decimal_from_real_op(my_decimal*))[0x55d3aa2f38ae]

sql/sql_type.cc:293(VDec::VDec(Item*))[0x55d3aa1cce3b]

sql/sql_type.h:417(Dec_ptr::to_xlonglong_null())[0x55d3aa2fd3bc]

sql/item_func.h:707(Item_handled_func::Handler_int::val_int(Item_handled_func*) const)[0x55d3aa2c9232]

sql/sql_type_int.h:88(Longlong_null::operator<<(Longlong_null const&) const)[0x55d3aa2fd05e]

sql/item_func.h:707(Item_handled_func::Handler_int::val_int(Item_handled_func*) const)[0x55d3aa2c9232]

sql/item.cc:343(Item::val_decimal_from_int(my_decimal*))[0x55d3aa29a63f]

sql/sql_type.cc:293(VDec::VDec(Item*))[0x55d3aa1cce3b]

sql/sql_type_int.h:38(Func_handler_bit_and_dec_to_ulonglong::to_longlong_null(Item_handled_func*) const)[0x55d3aa2cb2d4]

sql/item_func.h:707(Item_handled_func::Handler_int::val_int(Item_handled_func*) const)[0x55d3aa2c9232]

sql/item_cmpfunc.cc:1016(Arg_comparator::compare_int_unsigned_signed())[0x55d3aa2b4789]

sql/item_cmpfunc.cc:1781(Item_func_eq::val_int())[0x55d3aa2b889a]

sql/sql_class.h:4430(JOIN_CACHE::generate_full_extensions(unsigned char*))[0x55d3aa17bbb8]

sql/sql_join_cache.cc:2421(JOIN_CACHE::join_matching_records(bool))[0x55d3aa17c03e]

sql/sql_join_cache.cc:2176(JOIN_CACHE::join_records(bool))[0x55d3aa17b974]

sql/sql_select.cc:21899(sub_select_cache(JOIN*, st_join_table*, bool))[0x55d3aa07afdf]

sql/sql_select.cc:21671(do_select)[0x55d3aa0ac162]

sql/sql_select.cc:4633(JOIN::exec())[0x55d3aa0ac5a3]

sql/sql_select.cc:5114(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55d3aa0aa7ee]

sql/sql_select.cc:598(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x55d3aa0ab054]

sql/sql_parse.cc:6290(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55d3a9ed19e6]

sql/sql_parse.cc:3959(mysql_execute_command(THD*, bool))[0x55d3aa03b9d0]

sql/sql_parse.cc:8035(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55d3aa03dd8b]

sql/sql_parse.cc:1953(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55d3aa0401c8]

sql/sql_parse.cc:1409(do_command(THD*, bool))[0x55d3aa0416f3]

sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x55d3aa14d5e7]

sql/sql_connect.cc:1324(handle_one_connection)[0x55d3aa14d884]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55d3aa4d0d6c]

nptl/pthread_create.c:478(start_thread)[0x7fc86efe3609]

Query (0x7fc81c010c20): SELECT t1 . c24 AS c21 FROM ( SELECT c33 AS c24 FROM t0 ) AS t1 JOIN t0 ON ( SELECT ORD ( + EXISTS ( SELECT 52 AS c10 UNION SELECT + BIT_OR( c24 ) | LENGTH ( 'f' ) AS c44 FROM t0 WHERE c33 < -76 AND c33 < 0 AND c24 < -113 GROUP BY c33 ) ) << VARIANCE( c24 ) AS c16 FROM t0 GROUP BY c24 LIMIT 1 ) * CONVERT ( 115 , CHAR ) % RAND ( ) * RADIANS ( t0 . c33 ) / LTRIM ( -85 ) << RAND ( ) / RAND ( t0 . c23 ) << t0 . c33 & 'b' - SUBSTRING( 63 , 'a' ) - INSTR ( ROUND ( -5 , 61 ) SOUNDS LIKE TRIM( TRAILING FROM -98 ) AND RAND ( ) , -101 < RAND ( ) ) ^ DEGREES ( 3091623748526794021 ) + RAND ( ) = t0 . c23

CREATE TABLE `t0` ( `c33` text NOT NULL, `c23` int, KEY `i0` (`c33`(24)));

INSERT INTO `t0` VALUES ('71',NULL),('-79',NULL),('29',102),('-7962263225263025638',82);

SELECT t1 . c24 AS c21 FROM ( SELECT c33 AS c24 FROM t0 ) AS t1

JOIN t0 ON ( SELECT ORD ( + EXISTS ( SELECT 52 AS c10 UNION SELECT + BIT_OR( c24 ) | LENGTH ( 'f' ) AS c44 FROM t0 WHERE c33 < -76 AND c33 < 0 AND c24 < -113 GROUP BY c33 ) ) << VARIANCE( c24 ) AS c16 FROM t0 GROUP BY c24 LIMIT 1 ) * CONVERT ( 115 , CHAR ) % RAND ( ) * RADIANS ( t0 . c33 ) / LTRIM ( -85 ) << RAND ( ) / RAND ( t0 . c23 ) << t0 . c33 & 'b' - SUBSTRING( 63 , 'a' ) - INSTR ( ROUND ( -5 , 61 ) SOUNDS LIKE TRIM( TRAILING FROM -98 ) AND RAND ( ) , -101 < RAND ( ) ) ^ DEGREES ( 3091623748526794021 ) + RAND ( ) = t0 . c23 ;

Version: '10.4.32-MariaDB-debug-log'  revision babd833685e1fd1da4411a0874ba1c98bb0b631d:

=================================================================

==1204430==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000108428 at pc 0x55e48de13ff7 bp 0x7f0d9dac9820 sp 0x7f0d9dac9810

READ of size 8 at 0x619000108428 thread T27

    #0 0x55e48de13ff6 in Item_sum_bit::reset_field() /10.4/src/sql/item_sum.cc:2915

    #1 0x55e48d5347e4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26090

    #2 0x55e48d51a9ec in end_unique_update /10.4/src/sql/sql_select.cc:22510

    #3 0x55e48d54f1be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615

    #4 0x55e48d55ec6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)

    #5 0x55e48d50c0cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607

    #6 0x55e48d50ea54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129

    #7 0x55e48d50d9ef in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20941

    #8 0x55e48d50b12f in do_select /10.4/src/sql/sql_select.cc:20423

    #9 0x55e48d498c77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605

    #10 0x55e48d4962a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387

    #11 0x55e48dddba0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032

    #12 0x55e48ddb6a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758

    #13 0x55e48ddbc9e0 in Item_singlerow_subselect::val_int() /10.4/src/sql/item_subselect.cc:1400

    #14 0x55e48d1020bd in Item::val_int_result() /10.4/src/sql/item.h:1557

    #15 0x55e48dc286dc in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10016

    #16 0x55e48dc412a7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8779

    #17 0x55e48dc1dcb5 in Item_cache_wrapper::val_real() /10.4/src/sql/item.cc:8860

    #18 0x55e48dce875b in Item_func_mul::real_op() /10.4/src/sql/item_func.cc:1369

    #19 0x55e48d970ed3 in Item_func_hybrid_field_type::val_real_from_real_op() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x188eed3)

    #20 0x55e48d945d15 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /10.4/src/sql/sql_type.cc:5013

    #21 0x55e48d386a8e in Item_func_hybrid_field_type::val_real() /10.4/src/sql/item_func.h:799

    #22 0x55e48dcecc11 in Item_func_mod::real_op() /10.4/src/sql/item_func.cc:1635

    #23 0x55e48d970ed3 in Item_func_hybrid_field_type::val_real_from_real_op() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x188eed3)

    #24 0x55e48d945d15 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /10.4/src/sql/sql_type.cc:5013

    #25 0x55e48d386a8e in Item_func_hybrid_field_type::val_real() /10.4/src/sql/item_func.h:799

    #26 0x55e48dce875b in Item_func_mul::real_op() /10.4/src/sql/item_func.cc:1369

    #27 0x55e48d970ed3 in Item_func_hybrid_field_type::val_real_from_real_op() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x188eed3)

    #28 0x55e48d945d15 in Type_handler_real_result::Item_func_hybrid_field_type_val_real(Item_func_hybrid_field_type*) const /10.4/src/sql/sql_type.cc:5013

    #29 0x55e48d386a8e in Item_func_hybrid_field_type::val_real() /10.4/src/sql/item_func.h:799

    #30 0x55e48dce9e5f in Item_func_div::real_op() /10.4/src/sql/item_func.cc:1445

    #31 0x55e48dce3299 in Item_func_hybrid_field_type::val_int_from_real_op() /10.4/src/sql/item_func.cc:856

    #32 0x55e48d945d37 in Type_handler_real_result::Item_func_hybrid_field_type_val_int(Item_func_hybrid_field_type*) const /10.4/src/sql/sql_type.cc:5022

    #33 0x55e48d386bee in Item_func_hybrid_field_type::val_int() /10.4/src/sql/item_func.h:805

    #34 0x55e48dcf4a2d in Item_func_shift_left::val_int() /10.4/src/sql/item_func.cc:2121

    #35 0x55e48dcf4a2d in Item_func_shift_left::val_int() /10.4/src/sql/item_func.cc:2121

    #36 0x55e48dc7ab13 in Item_func_bit_and::val_int() /10.4/src/sql/item_cmpfunc.cc:4752

    #37 0x55e48dc542ca in Arg_comparator::compare_int_unsigned_signed() /10.4/src/sql/item_cmpfunc.cc:1021

    #38 0x55e48dc9536d in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104

    #39 0x55e48dc5d124 in Item_func_eq::val_int() /10.4/src/sql/item_cmpfunc.cc:1790

    #40 0x55e48d6b5194 in SQL_SELECT::skip_record(THD*) /10.4/src/sql/opt_range.h:1665

    #41 0x55e48d880542 in JOIN_CACHE::check_match(unsigned char*) /10.4/src/sql/sql_join_cache.cc:2573

    #42 0x55e48d872bd7 in JOIN_CACHE::generate_full_extensions(unsigned char*) /10.4/src/sql/sql_join_cache.cc:2516

    #43 0x55e48d87269f in JOIN_CACHE::join_matching_records(bool) /10.4/src/sql/sql_join_cache.cc:2416

    #44 0x55e48d870d32 in JOIN_CACHE::join_records(bool) /10.4/src/sql/sql_join_cache.cc:2172

    #45 0x55e48d50c3ab in sub_select_cache(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20665

    #46 0x55e48d50cb35 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20847

    #47 0x55e48d50b235 in do_select /10.4/src/sql/sql_select.cc:20425

    #48 0x55e48d498c77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605

    #49 0x55e48d4962a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387

    #50 0x55e48d49a483 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4826

    #51 0x55e48d46af7b in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442

    #52 0x55e48d3d6d7f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475

    #53 0x55e48d3c44f6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978

    #54 0x55e48d3e025a in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8012

    #55 0x55e48d3b6680 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857

    #56 0x55e48d3b31ab in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378

    #57 0x55e48d7c156c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420

    #58 0x55e48d7c0e10 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324

    #59 0x55e48e46bd89 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869

    #60 0x7f0db469a608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

    #61 0x7f0db426b132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x619000108428 is located 680 bytes inside of 1100-byte region [0x619000108180,0x6190001085cc)

freed by thread T27 here:

    #0 0x7f0db4c9840f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122

    #1 0x55e48f0027e8 in free_memory /10.4/src/mysys/safemalloc.c:279

    #2 0x55e48f001da4 in sf_free /10.4/src/mysys/safemalloc.c:197

    #3 0x55e48efd07b3 in my_free /10.4/src/mysys/my_malloc.c:222

    #4 0x55e48eface95 in free_root /10.4/src/mysys/my_alloc.c:437

    #5 0x55e48d509879 in free_tmp_table(THD*, TABLE*) /10.4/src/sql/sql_select.cc:20189

    #6 0x55e48d8db894 in Expression_cache_tmptable::disable_cache() /10.4/src/sql/sql_expression_cache.cc:62

    #7 0x55e48d8dc902 in Expression_cache_tmptable::init() /10.4/src/sql/sql_expression_cache.cc:176

    #8 0x55e48dc1bba8 in Item_cache_wrapper::init_on_demand() /10.4/src/sql/item.cc:8639

    #9 0x55e48dc1c9df in Item_cache_wrapper::check_cache() /10.4/src/sql/item.cc:8763

    #10 0x55e48dc1e18c in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8881

    #11 0x55e48dd046fa in Item_func_ord::val_int() /10.4/src/sql/item_func.cc:3186

    #12 0x55e48dcf4a2d in Item_func_shift_left::val_int() /10.4/src/sql/item_func.cc:2121

    #13 0x55e48dc09702 in Item::save_int_in_field(Field*, bool) /10.4/src/sql/item.cc:6716

    #14 0x55e48d93fd9b in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /10.4/src/sql/sql_type.cc:3846

    #15 0x55e48dc098e6 in Item::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6726

    #16 0x55e48d25960a in Item_result_field::save_in_result_field(bool) /10.4/src/sql/item.h:3282

    #17 0x55e48d534bd4 in copy_funcs(Item**, THD const*) /10.4/src/sql/sql_select.cc:26170

    #18 0x55e48d51aacd in end_unique_update /10.4/src/sql/sql_select.cc:22512

    #19 0x55e48d54f1be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615

    #20 0x55e48d55ec6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)

    #21 0x55e48d50c0cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607

    #22 0x55e48d50ea54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129

    #23 0x55e48d50d389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902

    #24 0x55e48d50b12f in do_select /10.4/src/sql/sql_select.cc:20423

    #25 0x55e48d498c77 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4605

    #26 0x55e48d4962a7 in JOIN::exec() /10.4/src/sql/sql_select.cc:4387

    #27 0x55e48dddba0f in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032

    #28 0x55e48ddb6a77 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758

    #29 0x55e48ddbc9e0 in Item_singlerow_subselect::val_int() /10.4/src/sql/item_subselect.cc:1400

previously allocated by thread T27 here:

    #0 0x7f0db4c98808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

    #1 0x55e48f001758 in sf_malloc /10.4/src/mysys/safemalloc.c:118

    #2 0x55e48efcfcbc in my_malloc /10.4/src/mysys/my_malloc.c:101

    #3 0x55e48efabc9b in alloc_root /10.4/src/mysys/my_alloc.c:258

    #4 0x55e48d553f66 in Field::operator new(unsigned long, st_mem_root*) /10.4/src/sql/field.h:636

    #5 0x55e48d93b95e in Type_handler_long::make_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3209

    #6 0x55e48d93b331 in Type_handler::make_and_init_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3156

    #7 0x55e48d100f35 in Item::tmp_table_field_from_field_type(TABLE*) /10.4/src/sql/item.h:809

    #8 0x55e48d385405 in Item::create_tmp_field_ex_simple(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:828

    #9 0x55e48d977b05 in Item_cache::create_tmp_field_ex(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:6900

    #10 0x55e48d4f89b1 in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /10.4/src/sql/sql_select.cc:18490

    #11 0x55e48d4fbcb2 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18874

    #12 0x55e48d8dc086 in Expression_cache_tmptable::init() /10.4/src/sql/sql_expression_cache.cc:121

    #13 0x55e48dc1bba8 in Item_cache_wrapper::init_on_demand() /10.4/src/sql/item.cc:8639

    #14 0x55e48dc1c9df in Item_cache_wrapper::check_cache() /10.4/src/sql/item.cc:8763

    #15 0x55e48dc1e18c in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8881

    #16 0x55e48dd046fa in Item_func_ord::val_int() /10.4/src/sql/item_func.cc:3186

    #17 0x55e48dcf4a2d in Item_func_shift_left::val_int() /10.4/src/sql/item_func.cc:2121

    #18 0x55e48dc09702 in Item::save_int_in_field(Field*, bool) /10.4/src/sql/item.cc:6716

    #19 0x55e48d93fd9b in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /10.4/src/sql/sql_type.cc:3846

    #20 0x55e48dc098e6 in Item::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6726

    #21 0x55e48d25960a in Item_result_field::save_in_result_field(bool) /10.4/src/sql/item.h:3282

    #22 0x55e48d534bd4 in copy_funcs(Item**, THD const*) /10.4/src/sql/sql_select.cc:26170

    #23 0x55e48d51aacd in end_unique_update /10.4/src/sql/sql_select.cc:22512

    #24 0x55e48d54f1be in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29615

    #25 0x55e48d55ec6e in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x147cc6e)

    #26 0x55e48d50c0cc in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20607

    #27 0x55e48d50ea54 in evaluate_join_record /10.4/src/sql/sql_select.cc:21129

    #28 0x55e48d50d389 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20902

    #29 0x55e48d50b12f in do_select /10.4/src/sql/sql_select.cc:20423

Thread T27 created by T0 here:

    #0 0x7f0db4bc5815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x55e48e46c17a in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919

    #2 0x55e48d0aef71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275

    #3 0x55e48d0c7103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289

    #4 0x55e48d0c789e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359

    #5 0x55e48d0c7d84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457

    #6 0x55e48d0c8c40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615

    #7 0x55e48d0c6808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947

    #8 0x55e48d0acf3c in main /10.4/src/sql/main.cc:25

    #9 0x7f0db4170082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/item_sum.cc:2915 in Item_sum_bit::reset_field()

Shadow bytes around the buggy address:

  0x0c3280019030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280019070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3280019080: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd

  0x0c3280019090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800190b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x0c32800190c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c32800190d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1204430==ABORTING

----------SERVER LOG END-------------

CREATE  TABLE t0 ( a TEXT NOT NULL, b INT, INDEX ( a(12))) ;

INSERT INTO t0 VALUES ( 118 , 46 ) , ( 36 , -108 ) ;

SELECT 5 FROM (SELECT a FROM t0) t1 where ( SELECT ord ( ( SELECT bit_or(t1.a)  )) FROM t0 GROUP BY b LIMIT 1 );

Version: '10.4.32-MariaDB-debug-log'

=================================================================

==146718==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000fa828 at pc 0x55da2b7ff2ce bp 0x7ffa47709f70 sp 0x7ffa47709f60

READ of size 8 at 0x6190000fa828 thread T27

    #0 0x55da2b7ff2cd in Item_sum_bit::update_field() /10.4/src/sql/item_sum.cc:2924

    #1 0x55da2af1e9a9 in update_tmptable_sum_func /10.4/src/sql/sql_select.cc:26136

    #2 0x55da2af03e1a in end_update /10.4/src/sql/sql_select.cc:22477

    #3 0x55da2af393b8 in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29651

    #4 0x55da2af48e86 in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x1481e86)

    #5 0x55da2aef5e9a in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20627

    #6 0x55da2aef8822 in evaluate_join_record /10.4/src/sql/sql_select.cc:21149

    #7 0x55da2aef77bd in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20961

    #8 0x55da2aef4efd in do_select /10.4/src/sql/sql_select.cc:20443

    #9 0x55da2ae82a45 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625

    #10 0x55da2ae80075 in JOIN::exec() /10.4/src/sql/sql_select.cc:4407

    #11 0x55da2b7c6b41 in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032

    #12 0x55da2b7a1ba9 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758

    #13 0x55da2b7a7b12 in Item_singlerow_subselect::val_int() /10.4/src/sql/item_subselect.cc:1400

    #14 0x55da2aaeb0bd in Item::val_int_result() /10.4/src/sql/item.h:1557

    #15 0x55da2b61312c in Item_cache_int::cache_value() /10.4/src/sql/item.cc:10023

    #16 0x55da2b62bcf7 in Item_cache_wrapper::cache() /10.4/src/sql/item.cc:8781

    #17 0x55da2b60809d in Item_cache_wrapper::val_int() /10.4/src/sql/item.cc:8835

    #18 0x55da2aef7e1d in evaluate_join_record /10.4/src/sql/sql_select.cc:21017

    #19 0x55da2aef7157 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20922

    #20 0x55da2aef4efd in do_select /10.4/src/sql/sql_select.cc:20443

    #21 0x55da2ae82a45 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625

    #22 0x55da2ae80075 in JOIN::exec() /10.4/src/sql/sql_select.cc:4407

    #23 0x55da2ae84251 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4846

    #24 0x55da2ae54ac7 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442

    #25 0x55da2adc082f in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475

    #26 0x55da2adadfa6 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978

    #27 0x55da2adc9d6e in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8013

    #28 0x55da2ada0130 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857

    #29 0x55da2ad9cc5b in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378

    #30 0x55da2b1ac55e in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420

    #31 0x55da2b1abe02 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324

    #32 0x55da2be48497 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869

    #33 0x7ffa5e2d8608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

    #34 0x7ffa5dea9132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6190000fa828 is located 680 bytes inside of 1100-byte region [0x6190000fa580,0x6190000fa9cc)

freed by thread T27 here:

    #0 0x7ffa5e8d640f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122

    #1 0x55da2c9cfde6 in free_memory /10.4/src/mysys/safemalloc.c:279

    #2 0x55da2c9cf3a2 in sf_free /10.4/src/mysys/safemalloc.c:197

    #3 0x55da2c99df9a in my_free /10.4/src/mysys/my_malloc.c:222

    #4 0x55da2c97ace0 in free_root /10.4/src/mysys/my_alloc.c:437

    #5 0x55da2aef3647 in free_tmp_table(THD*, TABLE*) /10.4/src/sql/sql_select.cc:20209

    #6 0x55da2b2c6dc8 in Expression_cache_tmptable::disable_cache() /10.4/src/sql/sql_expression_cache.cc:62

    #7 0x55da2b2c7e36 in Expression_cache_tmptable::init() /10.4/src/sql/sql_expression_cache.cc:176

    #8 0x55da2b6065d0 in Item_cache_wrapper::init_on_demand() /10.4/src/sql/item.cc:8641

    #9 0x55da2b607407 in Item_cache_wrapper::check_cache() /10.4/src/sql/item.cc:8765

    #10 0x55da2b608bb4 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8883

    #11 0x55da2b6ef838 in Item_func_ord::val_int() /10.4/src/sql/item_func.cc:3186

    #12 0x55da2b5f412a in Item::save_int_in_field(Field*, bool) /10.4/src/sql/item.cc:6718

    #13 0x55da2b32b759 in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /10.4/src/sql/sql_type.cc:3846

    #14 0x55da2b5f430e in Item::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6728

    #15 0x55da2ac42658 in Item_result_field::save_in_result_field(bool) /10.4/src/sql/item.h:3283

    #16 0x55da2af1ece4 in copy_funcs(Item**, THD const*) /10.4/src/sql/sql_select.cc:26204

    #17 0x55da2af040ab in end_update /10.4/src/sql/sql_select.cc:22488

    #18 0x55da2af393b8 in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29651

    #19 0x55da2af48e86 in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x1481e86)

    #20 0x55da2aef5e9a in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20627

    #21 0x55da2aef8822 in evaluate_join_record /10.4/src/sql/sql_select.cc:21149

    #22 0x55da2aef7157 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20922

    #23 0x55da2aef4efd in do_select /10.4/src/sql/sql_select.cc:20443

    #24 0x55da2ae82a45 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625

    #25 0x55da2ae80075 in JOIN::exec() /10.4/src/sql/sql_select.cc:4407

    #26 0x55da2b7c6b41 in subselect_single_select_engine::exec() /10.4/src/sql/item_subselect.cc:4032

    #27 0x55da2b7a1ba9 in Item_subselect::exec() /10.4/src/sql/item_subselect.cc:758

    #28 0x55da2b7a7b12 in Item_singlerow_subselect::val_int() /10.4/src/sql/item_subselect.cc:1400

    #29 0x55da2aaeb0bd in Item::val_int_result() /10.4/src/sql/item.h:1557

previously allocated by thread T27 here:

    #0 0x7ffa5e8d6808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

    #1 0x55da2c9ced56 in sf_malloc /10.4/src/mysys/safemalloc.c:118

    #2 0x55da2c99d4a3 in my_malloc /10.4/src/mysys/my_malloc.c:101

    #3 0x55da2c979ae6 in alloc_root /10.4/src/mysys/my_alloc.c:258

    #4 0x55da2af3e160 in Field::operator new(unsigned long, st_mem_root*) /10.4/src/sql/field.h:636

    #5 0x55da2b3274dc in Type_handler_longlong::make_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3222

    #6 0x55da2b326cef in Type_handler::make_and_init_table_field(st_mysql_const_lex_string const*, Record_addr const&, Type_all_attributes const&, TABLE*) const /10.4/src/sql/sql_type.cc:3156

    #7 0x55da2aae9f35 in Item::tmp_table_field_from_field_type(TABLE*) /10.4/src/sql/item.h:809

    #8 0x55da2ad6edbd in Item::create_tmp_field_ex_simple(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:828

    #9 0x55da2b3634c3 in Item_cache::create_tmp_field_ex(TABLE*, Tmp_field_src*, Tmp_field_param const*) /10.4/src/sql/item.h:6902

    #10 0x55da2aee277f in create_tmp_field(TABLE*, Item*, Item***, Field**, Field**, bool, bool, bool, bool) /10.4/src/sql/sql_select.cc:18510

    #11 0x55da2aee5a80 in create_tmp_table(THD*, TMP_TABLE_PARAM*, List<Item>&, st_order*, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const*, bool, bool) /10.4/src/sql/sql_select.cc:18894

    #12 0x55da2b2c75ba in Expression_cache_tmptable::init() /10.4/src/sql/sql_expression_cache.cc:121

    #13 0x55da2b6065d0 in Item_cache_wrapper::init_on_demand() /10.4/src/sql/item.cc:8641

    #14 0x55da2b607407 in Item_cache_wrapper::check_cache() /10.4/src/sql/item.cc:8765

    #15 0x55da2b608bb4 in Item_cache_wrapper::val_str(String*) /10.4/src/sql/item.cc:8883

    #16 0x55da2b6ef838 in Item_func_ord::val_int() /10.4/src/sql/item_func.cc:3186

    #17 0x55da2b5f412a in Item::save_int_in_field(Field*, bool) /10.4/src/sql/item.cc:6718

    #18 0x55da2b32b759 in Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const /10.4/src/sql/sql_type.cc:3846

    #19 0x55da2b5f430e in Item::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6728

    #20 0x55da2ac42658 in Item_result_field::save_in_result_field(bool) /10.4/src/sql/item.h:3283

    #21 0x55da2af1ece4 in copy_funcs(Item**, THD const*) /10.4/src/sql/sql_select.cc:26204

    #22 0x55da2af040ab in end_update /10.4/src/sql/sql_select.cc:22488

    #23 0x55da2af393b8 in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29651

    #24 0x55da2af48e86 in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x1481e86)

    #25 0x55da2aef5e9a in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20627

    #26 0x55da2aef8822 in evaluate_join_record /10.4/src/sql/sql_select.cc:21149

    #27 0x55da2aef7157 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20922

    #28 0x55da2aef4efd in do_select /10.4/src/sql/sql_select.cc:20443

    #29 0x55da2ae82a45 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625

Thread T27 created by T0 here:

    #0 0x7ffa5e803815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x55da2be48888 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919

    #2 0x55da2aa97f71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275

    #3 0x55da2aab0103 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289

    #4 0x55da2aab089e in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359

    #5 0x55da2aab0d84 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457

    #6 0x55da2aab1c40 in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615

    #7 0x55da2aaaf808 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947

    #8 0x55da2aa95f3c in main /10.4/src/sql/main.cc:25

    #9 0x7ffa5ddae082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /10.4/src/sql/item_sum.cc:2924 in Item_sum_bit::update_field()

Shadow bytes around the buggy address:

  0x0c32800174b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800174c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800174d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800174e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c32800174f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3280017500: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd

  0x0c3280017510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280017520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3280017530: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa

  0x0c3280017540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280017550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==146718==ABORTING

----------SERVER LOG END-------------

CREATE  TABLE t0 ( a TEXT NOT NULL, b INT, INDEX ( a(12))) ;

INSERT INTO t0 VALUES ( 118 , 46 ) , ( 36 , -108 ) ;

SELECT 5 FROM (SELECT a FROM t0) t1 where ( SELECT hex ( ( SELECT count(t1.a)  )) FROM t0 GROUP BY b LIMIT 1 );

=================================================================

==148493==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000f6228 at pc 0x5606541d62ba bp 0x7f667306eec0 sp 0x7f667306eeb0

READ of size 8 at 0x6190000f6228 thread T27

    #0 0x5606541d62b9 in Item_sum_count::reset_field() /10.4/src/sql/item_sum.cc:2864

    #1 0x5606538f68f4 in init_tmptable_sum_functions /10.4/src/sql/sql_select.cc:26124

    #2 0x5606538dc00a in end_update /10.4/src/sql/sql_select.cc:22487

    #3 0x5606539113b8 in AGGR_OP::put_record(bool) /10.4/src/sql/sql_select.cc:29651

    #4 0x560653920e86 in AGGR_OP::put_record() (/home/alice/am/_depot/m-branch/m4-10.4-bld/sql/mysqld+0x1481e86)

    #5 0x5606538cde9a in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20627

    #6 0x5606538d0822 in evaluate_join_record /10.4/src/sql/sql_select.cc:21149

...

CREATE TABLE t0 (c TEXT);

INSERT INTO t0 VALUES (71), (-79);

SELECT t1.d FROM (SELECT c AS d FROM t0) AS t1 JOIN t0 ON (

  SELECT ORD((SELECT BIT_OR(d))) FROM t0 GROUP BY d

);

thread #13, stop reason = EXC_BAD_ACCESS (code=1, address=0x8f8f8f8f8f8f8f8f)

frame #0: 0x00000001002af710 mariadbd`Item_sum_bit::reset_field(this=0x00000001049707b0) at item_sum.cc:2954:3

frame #1: 0x0000000100653278 mariadbd`init_tmptable_sum_functions(func_ptr=0x000000013a0142e8) at sql_select.cc:28997:11

frame #2: 0x0000000100633528 mariadbd`end_unique_update(join=0x000000013a0130a0, join_tab=0x00000001051a4f60, end_of_records=false) at sql_select.cc:25339:3

frame #3: 0x0000000100644c8c mariadbd`AGGR_OP::put_record(this=0x000000013a017028, end_of_records=false) at sql_select.cc:32491:30

frame #4: 0x0000000100635098 mariadbd`AGGR_OP::put_record(this=0x000000013a017028) at sql_select.h:1186:48

frame #5: 0x0000000100608440 mariadbd`sub_select_postjoin_aggr(join=0x000000013a0130a0, join_tab=0x00000001051a4f60, end_of_records=false) at sql_select.cc:23288:13

frame #6: 0x0000000100635ce8 mariadbd`evaluate_join_record(join=0x000000013a0130a0, join_tab=0x00000001051a4af0, error=0) at sql_select.cc:23837:11

[MDEV-32401] expression cache? Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_sum.cc:2949 Created: 2023-10-10 Updated: 2024-01-26
Status:	In Review
Project:	MariaDB Server
Component/s:	Optimizer, Server
Affects Version/s:	10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2, 11.3.0
Fix Version/s:	10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

[MDEV-32401] expression cache? Heap-Use-Sfter-Free at /mariadb-11.3.0/sql/item_sum.cc:2949 Created: 2023-10-10 Updated: 2024-01-26