[MDEV-8089] Server crashed or ASAN heap-use-after-free in Apc_target::make_apc_call on SHOW EXPLAIN Created: 2015-05-01  Updated: 2021-11-25

Status: Confirmed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.0, 10.1, 10.2
Fix Version/s: 10.2

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None

Attachments: File mysql.err     File mysql.log    
Issue Links:
Duplicate
duplicates MDEV-8048 [Draft] Server crashed in in _IO_vfpr... Closed

 Description    

/home/elenst/git/10.1/sql/mysqld(my_print_stacktrace+0x38)[0x7f0eacda7b22]
 
sql/signal_handler.cc:155(handle_fatal_signal)[0x7f0eac764040]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0xfcb0)[0x7f0eaa9a4cb0]
 
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x29f1)[0x7f0eaa0213b1]
 
/lib/x86_64-linux-gnu/libc.so.6(+0x4e1a4)[0x7f0eaa0241a4]
 
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x21e)[0x7f0eaa01ebde]
 
/lib/x86_64-linux-gnu/libc.so.6(_IO_fprintf+0x87)[0x7f0eaa029837]
 
/home/elenst/git/10.1/sql/mysqld(safe_cond_timedwait+0x242)[0x7f0eacdad51b]
 
psi/mysql_thread.h:1202(inline_mysql_cond_timedwait)[0x7f0eac6c8f57]
 
sql/my_apc.cc:194(Apc_target::make_apc_call(THD*, Apc_target::Apc_call*, int, bool*))[0x7f0eac6c94b5]
 
sql/sql_show.cc:2656(fill_show_explain(THD*, TABLE_LIST*, Item*))[0x7f0eac5c3c68]
 
sql/sql_show.cc:7939(get_schema_tables_result(JOIN*, enum_schema_table_state))[0x7f0eac5d78d5]
 
sql/sql_select.cc:2546(JOIN::exec_inner())[0x7f0eac57a5e3]
 
sql/sql_select.cc:2398(JOIN::exec())[0x7f0eac579c71]
 
sql/sql_select.cc:3328(mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x7f0eac57d262]
 
sql/sql_select.cc:373(handle_select(THD*, LEX*, select_result*, unsigned long))[0x7f0eac573203]
 
sql/sql_parse.cc:5782(execute_sqlcom_select(THD*, TABLE_LIST*))[0x7f0eac544475]
 
sql/sql_parse.cc:2926(mysql_execute_command(THD*))[0x7f0eac53a9d2]
 
sql/sql_prepare.cc:4012(Prepared_statement::execute(String*, bool))[0x7f0eac561619]
 
sql/sql_prepare.cc:3644(Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*))[0x7f0eac5604ba]
 
sql/sql_prepare.cc:2778(mysql_sql_stmt_execute(THD*))[0x7f0eac55e519]
 
sql/sql_parse.cc:2938(mysql_execute_command(THD*))[0x7f0eac53aa03]
 
sql/sql_parse.cc:7165(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x7f0eac547a0b]
 
sql/sql_parse.cc:1464(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x7f0eac536cbc]
 
sql/sql_parse.cc:1090(do_command(THD*))[0x7f0eac535a97]
 
sql/sql_connect.cc:1347(do_handle_one_connection(THD*))[0x7f0eac66600d]
 
sql/sql_connect.cc:1259(handle_one_connection)[0x7f0eac665d65]
 
/lib/x86_64-linux-gnu/libpthread.so.0(+0x7e9a)[0x7f0eaa99ce9a]
 
/lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f0eaa0c9cbd]
 

Trying to get some variables.
 
Some pointers may be invalid and cause the dump to abort.
 
Query (0x7f0e8242a188): SHOW EXPLAIN FOR 69
 
Connection ID (thread ID): 14
 
Status: NOT_KILLED

Happened once so far, on 10.1 tree around commit 46816996 (possibly a few commits earlier).
RQG revno 1016

perl /home/elenst/bzr/randgen-mariadb-patches/runall-new.pl --no-mask --seed=1430256717 --threads=16 --duration=400 --queries=100M --reporters=QueryTimeout,Backtrace,ErrorLog,Deadlock --redefine=conf/mariadb/general-workarounds.yy --redefine=conf/mariadb/10.0-features-redefine.yy --mysqld=--log_output=FILE --mysqld=--slow_query_log --mysqld=--log_bin_trust_function_creators=1 --mysqld=--query_cache_size=64M --views --grammar=conf/runtime/connect_kill_sql.yy --gendata=conf/runtime/connect_kill_data.zz --engine=InnoDB --rpl_mode=mixed --mysqld=--slave-skip-errors=1049,1305,1539,1505,1317 --mysqld=--slave-parallel-mode=conservative --mysqld=--binlog_commit_wait_count=10 --mysqld=--binlog_commit_wait_usec=1000000 --mysqld=--slave-parallel-threads=1 --use-gtid=slave_pos --mtr-build-thread=73 --basedir1=/home/elenst/git/10.1 --vardir1=/home/elenst/test_results/10.1-parallel-replication-8/current1_1



 Comments   
Comment by Elena Stepanova [ 2017-11-09 ]

Recent occurrence

10.1 644ffdeb9290a5fc

 
2017-11-09 21:39:04 140221051173632 [Note] InnoDB: Resuming purge
 
171109 21:39:09 [ERROR] mysqld got signal 11 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.1.29-MariaDB-debug
 
key_buffer_size=134217728
 
read_buffer_size=131072
 
max_used_connections=12
 
max_threads=153
 
thread_count=8
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467243 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.


# 2017-11-09T21:39:39 [15595] #3  <signal handler called>
 
# 2017-11-09T21:39:39 [15595] #4  0x00007f87c754acc0 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
 
# 2017-11-09T21:39:39 [15595] #5  0x00007f87c754bef1 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
 
# 2017-11-09T21:39:39 [15595] #6  0x00007f87c754932d in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
 
# 2017-11-09T21:39:39 [15595] #7  0x00007f87c75517f7 in fprintf () from /lib/x86_64-linux-gnu/libc.so.6
 
# 2017-11-09T21:39:39 [15595] #8  0x000055807038041f in safe_cond_timedwait (cond=0x7f87c1ffa070, mp=0x7f879f3e38f8, abstime=0x7f87c1ffa030, file=0x558070474080 "/home/elenst/git/10.1/include/mysql/psi/mysql_
 
thread.h", line=1202) at /home/elenst/git/10.1/mysys/thr_mutex.c:566
 
# 2017-11-09T21:39:39 [15595] #9  0x000055806fc71156 in inline_mysql_cond_timedwait (that=0x7f87c1ffa070, mutex=0x7f879f3e38f8, abstime=0x7f87c1ffa030, src_file=0x558070474180 "/home/elenst/git/10.1/sql/my_ap
 
c.cc", src_line=155) at /home/elenst/git/10.1/include/mysql/psi/mysql_thread.h:1202
 
# 2017-11-09T21:39:39 [15595] #10 0x000055806fc715c9 in Apc_target::make_apc_call (this=0x7f879f3e5a70, caller_thd=0x7f879f3f8070, call=0x7f87c1ffa180, timeout_sec=30, timed_out=0x7f87c1ffa102) at /home/elens
 
t/git/10.1/sql/my_apc.cc:155
 
# 2017-11-09T21:39:39 [15595] #11 0x000055806fb68f30 in fill_show_explain (thd=0x7f879f3f8070, table=0x7f879a8a91c8, cond=0x0) at /home/elenst/git/10.1/sql/sql_show.cc:2818
 
# 2017-11-09T21:39:39 [15595] #12 0x000055806fb7d522 in get_schema_tables_result (join=0x7f879a83ae88, executed_place=PROCESSED_BY_JOIN_EXEC) at /home/elenst/git/10.1/sql/sql_show.cc:8227
 
# 2017-11-09T21:39:39 [15595] #13 0x000055806fb1d10a in JOIN::exec_inner (this=0x7f879a83ae88) at /home/elenst/git/10.1/sql/sql_select.cc:2664
 
# 2017-11-09T21:39:39 [15595] #14 0x000055806fb1c7b5 in JOIN::exec (this=0x7f879a83ae88) at /home/elenst/git/10.1/sql/sql_select.cc:2512
 
# 2017-11-09T21:39:39 [15595] #15 0x000055806fb1fd43 in mysql_select (thd=0x7f879f3f8070, rref_pointer_array=0x7f879a8a7b08, tables=0x7f879a8a91c8, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, grou
 
p=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f879a83ae68, unit=0x7f879a8a7160, select_lex=0x7f879a8a7860) at /home/elenst/git/10.1/sql/sql_select.cc:3449
 
# 2017-11-09T21:39:39 [15595] #16 0x000055806fb15771 in handle_select (thd=0x7f879f3f8070, lex=0x7f879a8a7098, result=0x7f879a83ae68, setup_tables_done_option=0) at /home/elenst/git/10.1/sql/sql_select.cc:384
 
# 2017-11-09T21:39:39 [15595] #17 0x000055806fae54ce in execute_sqlcom_select (thd=0x7f879f3f8070, all_tables=0x7f879a8a91c8) at /home/elenst/git/10.1/sql/sql_parse.cc:5905
 
# 2017-11-09T21:39:39 [15595] #18 0x000055806fadb3e5 in mysql_execute_command (thd=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_parse.cc:2975
 
# 2017-11-09T21:39:39 [15595] #19 0x000055806fb031e3 in Prepared_statement::execute (this=0x7f879a85a470, expanded_query=0x7f87c1ffba50, open_cursor=false) at /home/elenst/git/10.1/sql/sql_prepare.cc:4300
 
# 2017-11-09T21:39:39 [15595] #20 0x000055806fb0204e in Prepared_statement::execute_loop (this=0x7f879a85a470, expanded_query=0x7f87c1ffba50, open_cursor=false, packet=0x0, packet_end=0x0) at /home/elenst/git
 
/10.1/sql/sql_prepare.cc:3932
 
# 2017-11-09T21:39:39 [15595] #21 0x000055806fb000bc in mysql_sql_stmt_execute (thd=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_prepare.cc:3056
 
# 2017-11-09T21:39:39 [15595] #22 0x000055806fadb416 in mysql_execute_command (thd=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_parse.cc:2986
 
# 2017-11-09T21:39:39 [15595] #23 0x000055806fae8bee in mysql_parse (thd=0x7f879f3f8070, rawbuf=0x7f879a83a088 "EXECUTE show_expl_stmt USING @thread_id /* QNO 1282 CON_ID 14 */", length=64, parser_state=0x7f8
 
7c1ffc630) at /home/elenst/git/10.1/sql/sql_parse.cc:7326
 
# 2017-11-09T21:39:39 [15595] #24 0x000055806fad74ae in dispatch_command (command=COM_QUERY, thd=0x7f879f3f8070, packet=0x7f879f806071 " EXECUTE show_expl_stmt USING @thread_id /* QNO 1282 CON_ID 14 */ ", pac
 
ket_length=66) at /home/elenst/git/10.1/sql/sql_parse.cc:1477
 
# 2017-11-09T21:39:39 [15595] #25 0x000055806fad622c in do_command (thd=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_parse.cc:1106
 
# 2017-11-09T21:39:39 [15595] #26 0x000055806fc0f44d in do_handle_one_connection (thd_arg=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_connect.cc:1349
 
# 2017-11-09T21:39:39 [15595] #27 0x000055806fc0f19c in handle_one_connection (arg=0x7f879f3f8070) at /home/elenst/git/10.1/sql/sql_connect.cc:1261
 
# 2017-11-09T21:39:39 [15595] #28 0x00007f87c7f576ba in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
 
# 2017-11-09T21:39:39 [15595] #29 0x00007f87c760282d in clone () from /lib/x86_64-linux-gnu/libc.so.6


Query (0x7f879a83a1c0): SHOW EXPLAIN FOR 12
 
Connection ID (thread ID): 14
 
Status: NOT_KILLED
 
 
 
Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=off

Comment by Sergey Vojtovich [ 2017-12-08 ]

Something similar:

AAA.opt:
 
--thread-cache-size=0
 
AAA.test
 
CREATE TABLE t1(a INT);
 
INSERT INTO t1 VALUES(1);
 
 
 
connect(con1, localhost, root);
 
let $tid= `SELECT CONNECTION_ID()`;
 
send SELECT SLEEP(2) FROM t1;
 
 
 
connection default;
 
SELECT CONNECTION_ID();
 
--sleep 1
 
send_eval SHOW EXPLAIN FOR $tid;
 
 
 
connection con1;
 
reap;
 
disconnect con1;
 
connection default;
 
reap;
 
 
 
DROP TABLE t1;
 
 
 
diff:
 
diff --git a/sql/my_apc.cc b/sql/my_apc.cc
 
index c86e554..3d7cbfc 100644
 
--- a/sql/my_apc.cc
 
+++ b/sql/my_apc.cc
 
@@ -155,6 +155,9 @@ bool Apc_target::make_apc_call(THD *caller_thd, Apc_call *call,
 
       wait_res= mysql_cond_timedwait(&apc_request.COND_request,
 
                                      LOCK_thd_data_ptr, &abstime);
 
                                       // &apc_request.LOCK_request, &abstime);
 
+      mysql_mutex_unlock(LOCK_thd_data_ptr);
 
+      sleep(5);
 
+      mysql_mutex_lock(LOCK_thd_data_ptr);
 
       if (caller_thd->killed)
 
         break;
 
     }


Thread 1 (Thread 0x7f4d79f14700 (LWP 2906)):
 
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:62
 
#1  0x0000562d6637ca11 in my_write_core (sig=11) at /home/svoj/devel/maria/mariadb/mysys/stacktrace.c:481
 
#2  0x0000562d65b9fbed in handle_fatal_signal (sig=11) at /home/svoj/devel/maria/mariadb/sql/signal_handler.cc:303
 
#3  <signal handler called>
 
#4  0x0000562d65a93737 in inline_mysql_mutex_lock (that=0x8f8f8f8f8f8f8f8f, src_file=0x562d6648eb20 "/home/svoj/devel/maria/mariadb/sql/my_apc.cc", src_line=160) at /home/svoj/devel/maria/mariadb/include/mysql/psi/mysql_thread.h:656
 
#5  0x0000562d65a93eff in Apc_target::make_apc_call (this=0x7f4d5c004718, caller_thd=0x7f4d68147050, call=0x7f4d79f123d0, timeout_sec=30, timed_out=0x7f4d79f12352) at /home/svoj/devel/maria/mariadb/sql/my_apc.cc:160
 
#6  0x0000562d65971f4b in fill_show_explain (thd=0x7f4d68147050, table=0x7f4d6800c5b0, cond=0x0) at /home/svoj/devel/maria/mariadb/sql/sql_show.cc:2953
 
#7  0x0000562d65987693 in get_schema_tables_result (join=0x7f4d6800d940, executed_place=PROCESSED_BY_JOIN_EXEC) at /home/svoj/devel/maria/mariadb/sql/sql_show.cc:8402
 
#8  0x0000562d65923040 in JOIN::exec_inner (this=0x7f4d6800d940) at /home/svoj/devel/maria/mariadb/sql/sql_select.cc:3586
 
#9  0x0000562d659226e6 in JOIN::exec (this=0x7f4d6800d940) at /home/svoj/devel/maria/mariadb/sql/sql_select.cc:3417
 
#10 0x0000562d659238be in mysql_select (thd=0x7f4d68147050, tables=0x7f4d6800c5b0, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f4d6800d920, unit=0x7f4d6814ad68, select_lex=0x7f4d6814b4a0) at /home/svoj/devel/maria/mariadb/sql/sql_select.cc:3817
 
#11 0x0000562d65917a52 in handle_select (thd=0x7f4d68147050, lex=0x7f4d6814aca0, result=0x7f4d6800d920, setup_tables_done_option=0) at /home/svoj/devel/maria/mariadb/sql/sql_select.cc:378
 
#12 0x0000562d658e311b in execute_sqlcom_select (thd=0x7f4d68147050, all_tables=0x7f4d6800c5b0) at /home/svoj/devel/maria/mariadb/sql/sql_parse.cc:6503
 
#13 0x0000562d658d94dd in mysql_execute_command (thd=0x7f4d68147050) at /home/svoj/devel/maria/mariadb/sql/sql_parse.cc:3748
 
#14 0x0000562d658e6a64 in mysql_parse (thd=0x7f4d68147050, rawbuf=0x7f4d6800b8d8 "SHOW EXPLAIN FOR 5", length=18, parser_state=0x7f4d79f13490, is_com_multi=false, is_next_command=false) at /home/svoj/devel/maria/mariadb/sql/sql_parse.cc:7959
 
#15 0x0000562d658d3ee6 in dispatch_command (command=COM_QUERY, thd=0x7f4d68147050, packet=0x7f4d6808b201 "SHOW EXPLAIN FOR 5", packet_length=18, is_com_multi=false, is_next_command=false) at /home/svoj/devel/maria/mariadb/sql/sql_parse.cc:1828
 
#16 0x0000562d658d2858 in do_command (thd=0x7f4d68147050) at /home/svoj/devel/maria/mariadb/sql/sql_parse.cc:1370
 
#17 0x0000562d65a2a8fa in do_handle_one_connection (connect=0x562d69a6c3b0) at /home/svoj/devel/maria/mariadb/sql/sql_connect.cc:1420
 
#18 0x0000562d65a2a64d in handle_one_connection (arg=0x562d69a6c3b0) at /home/svoj/devel/maria/mariadb/sql/sql_connect.cc:1326
 
#19 0x0000562d65dd707b in pfs_spawn_thread (arg=0x562d69a57c80) at /home/svoj/devel/maria/mariadb/storage/perfschema/pfs.cc:1863
 
#20 0x00007f4d817386ba in start_thread (arg=0x7f4d79f14700) at pthread_create.c:333
 
#21 0x00007f4d80bcd3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Comment by Elena Stepanova [ 2017-12-10 ]

svoj, is it a "fair" way to reproduce the problem, releasing the mutex in the middle of the function? In other words, can we confirm it through this injection?

Comment by Sergey Vojtovich [ 2017-12-11 ]

elenst, I believe it is fair to re-lock here, since mysql_cond_timedwait() does the same: releases mutex before going asleep and then re-acquires it before returning.
If we don't care about mysql_cond_timedwait() relock, why would we have to care about another relock?

Ideally this delay should be added to pthread_cond_timedwait() directly, but that's more complex.

Comment by Elena Stepanova [ 2019-03-31 ]

Still reproducible with svoj's injection above at least on 10.0-10.2. Can't confirm for 10.3+, since the injection does not build there.

10.2 fe1dfe39 with injection

 
==32208==ERROR: AddressSanitizer: heap-use-after-free on address 0x62a00005bc38 at pc 0x55ddb7d66186 bp 0x7f8264c71c30 sp 0x7f8264c71c28
 
WRITE of size 8 at 0x62a00005bc38 thread T6
 
    #0 0x55ddb7d66185 in safe_cond_timedwait /data/src/10.2-bug/mysys/thr_mutex.c:557
 
    #1 0x55ddb6b11c12 in inline_mysql_cond_timedwait /data/src/10.2-bug/include/mysql/psi/mysql_thread.h:1175
 
    #2 0x55ddb6b127cb in Apc_target::make_apc_call(THD*, Apc_target::Apc_call*, int, bool*) /data/src/10.2-bug/sql/my_apc.cc:155
 
    #3 0x55ddb686c032 in fill_show_explain(THD*, TABLE_LIST*, Item*) /data/src/10.2-bug/sql/sql_show.cc:2946
 
    #4 0x55ddb68aab6d in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/10.2-bug/sql/sql_show.cc:8425
 
    #5 0x55ddb67a27fb in JOIN::exec_inner() /data/src/10.2-bug/sql/sql_select.cc:3587
 
    #6 0x55ddb67a0acd in JOIN::exec() /data/src/10.2-bug/sql/sql_select.cc:3418
 
    #7 0x55ddb67a3eb5 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2-bug/sql/sql_select.cc:3818
 
    #8 0x55ddb6782e8a in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2-bug/sql/sql_select.cc:376
 
    #9 0x55ddb6706a54 in execute_sqlcom_select /data/src/10.2-bug/sql/sql_parse.cc:6479
 
    #10 0x55ddb66f3c04 in mysql_execute_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:3537
 
    #11 0x55ddb670f73f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:8013
 
    #12 0x55ddb66ea2e7 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2-bug/sql/sql_parse.cc:1832
 
    #13 0x55ddb66e7356 in do_command(THD*) /data/src/10.2-bug/sql/sql_parse.cc:1386
 
    #14 0x55ddb6a2df66 in do_handle_one_connection(CONNECT*) /data/src/10.2-bug/sql/sql_connect.cc:1335
 
    #15 0x55ddb6a2d97b in handle_one_connection /data/src/10.2-bug/sql/sql_connect.cc:1241
 
    #16 0x55ddb744d0c9 in pfs_spawn_thread /data/src/10.2-bug/storage/perfschema/pfs.cc:1862
 
    #17 0x7f827110b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #18 0x7f826f4f193e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x62a00005bc38 is located 6712 bytes inside of 22524-byte region [0x62a00005a200,0x62a00005f9fc)
 
freed by thread T7 here:
 
    #0 0x7f8271375527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
 
    #1 0x55ddb7d7927e in free_memory /data/src/10.2-bug/mysys/safemalloc.c:279
 
    #2 0x55ddb7d78884 in sf_free /data/src/10.2-bug/mysys/safemalloc.c:197
 
    #3 0x55ddb7d47b13 in my_free /data/src/10.2-bug/mysys/my_malloc.c:218
 
    #4 0x55ddb6505483 in ilink::operator delete(void*, unsigned long) /data/src/10.2-bug/sql/sql_list.h:655
 
    #5 0x55ddb663eee4 in THD::~THD() /data/src/10.2-bug/sql/sql_class.cc:1565
 
    #6 0x55ddb64ee494 in one_thread_per_connection_end(THD*, bool) /data/src/10.2-bug/sql/mysqld.cc:3066
 
    #7 0x55ddb6a2e188 in do_handle_one_connection(CONNECT*) /data/src/10.2-bug/sql/sql_connect.cc:1354
 
    #8 0x55ddb6a2d97b in handle_one_connection /data/src/10.2-bug/sql/sql_connect.cc:1241
 
    #9 0x55ddb744d0c9 in pfs_spawn_thread /data/src/10.2-bug/storage/perfschema/pfs.cc:1862
 
    #10 0x7f827110b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
previously allocated by thread T7 here:
 
    #0 0x7f827137573f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
 
    #1 0x55ddb7d77ff4 in sf_malloc /data/src/10.2-bug/mysys/safemalloc.c:118
 
    #2 0x55ddb7d4717a in my_malloc /data/src/10.2-bug/mysys/my_malloc.c:101
 
    #3 0x55ddb6505440 in ilink::operator new(unsigned long) /data/src/10.2-bug/sql/sql_list.h:651
 
    #4 0x55ddb6a2e8f3 in CONNECT::create_thd(THD*) /data/src/10.2-bug/sql/sql_connect.cc:1439
 
    #5 0x55ddb6a2dc2d in do_handle_one_connection(CONNECT*) /data/src/10.2-bug/sql/sql_connect.cc:1279
 
    #6 0x55ddb6a2d97b in handle_one_connection /data/src/10.2-bug/sql/sql_connect.cc:1241
 
    #7 0x55ddb744d0c9 in pfs_spawn_thread /data/src/10.2-bug/storage/perfschema/pfs.cc:1862
 
    #8 0x7f827110b493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7f8271344bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55ddb744d691 in spawn_thread_v1 /data/src/10.2-bug/storage/perfschema/pfs.cc:1912
 
    #2 0x55ddb64e379e in inline_mysql_thread_create /data/src/10.2-bug/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55ddb64f8806 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2-bug/sql/mysqld.cc:6482
 
    #4 0x55ddb64f8f0b in create_new_thread /data/src/10.2-bug/sql/mysqld.cc:6552
 
    #5 0x55ddb64f9f22 in handle_connections_sockets() /data/src/10.2-bug/sql/mysqld.cc:6827
 
    #6 0x55ddb64f7d5b in mysqld_main(int, char**) /data/src/10.2-bug/sql/mysqld.cc:6101
 
    #7 0x55ddb64e1b3f in main /data/src/10.2-bug/sql/main.cc:25
 
    #8 0x7f826f4292b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
Thread T7 created by T0 here:
 
    #0 0x7f8271344bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x55ddb744d691 in spawn_thread_v1 /data/src/10.2-bug/storage/perfschema/pfs.cc:1912
 
    #2 0x55ddb64e379e in inline_mysql_thread_create /data/src/10.2-bug/include/mysql/psi/mysql_thread.h:1239
 
    #3 0x55ddb64f8806 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2-bug/sql/mysqld.cc:6482
 
    #4 0x55ddb64f8f0b in create_new_thread /data/src/10.2-bug/sql/mysqld.cc:6552
 
    #5 0x55ddb64f9f22 in handle_connections_sockets() /data/src/10.2-bug/sql/mysqld.cc:6827
 
    #6 0x55ddb64f7d5b in mysqld_main(int, char**) /data/src/10.2-bug/sql/mysqld.cc:6101
 
    #7 0x55ddb64e1b3f in main /data/src/10.2-bug/sql/main.cc:25
 
    #8 0x7f826f4292b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2-bug/mysys/thr_mutex.c:557 safe_cond_timedwait
 
Shadow bytes around the buggy address:
 
  0x0c5480003730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5480003740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5480003750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5480003760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c5480003770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c5480003780: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
 
  0x0c5480003790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c54800037a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c54800037b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c54800037c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c54800037d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==32208==ABORTING

Generated at Thu Feb 08 07:24:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.