In this test, format reports a mirror mismatch and while it's dumping the pages ASAN detects a use-after-free error.
Here's the ASAN report:
[2022/09/04 08:26:29.427] ==24574==ERROR: AddressSanitizer: heap-use-after-free on address 0x633000594800 at pc 0x7f8dc626da1e bp 0x7f8db2734a00 sp 0x7f8db27349f8 [2022/09/04 08:26:29.427] READ of size 16 at 0x633000594800 thread T80 [2022/09/04 08:26:29.427] #0 0x7f8dc626da1d in __wt_lex_compare_skip /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/include/btree_cmp_inline.h:232:21 [2022/09/04 08:26:29.427] #1 0x7f8dc626b768 in __wt_row_search /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/btree/row_srch.c:375:23 [2022/09/04 08:26:29.427] #2 0x7f8dc619cad4 in __cursor_row_search /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/btree/bt_cursor.c:501:5 [2022/09/04 08:26:29.427] #3 0x7f8dc619f780 in __wt_btcur_search_near /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/btree/bt_cursor.c:967:13 [2022/09/04 08:26:29.427] #4 0x7f8dc62fe604 in __curfile_search_near /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/cursor/cur_file.c:348:5 [2022/09/04 08:26:29.427] #5 0x4f94be in table_dump_page /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/util.c:320:11 [2022/09/04 08:26:29.427] #6 0x4fb5ce in table_verify_mirror /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:297:29 [2022/09/04 08:26:29.427] #7 0x4fa2d1 in wts_verify /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:365:13 [2022/09/04 08:26:29.427] #8 0x4cd901 in check_copy /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:70:5 [2022/09/04 08:26:29.427] #9 0x4ca224 in backup /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:651:13 [2022/09/04 08:26:29.427] #10 0x7f8dc5dc2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 [2022/09/04 08:26:29.427] #11 0x7f8dc5b6b132 in clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 [2022/09/04 08:26:29.427] 0x633000594800 is located 0 bytes inside of 102400-byte region [0x633000594800,0x6330005ad800) [2022/09/04 08:26:29.427] freed by thread T80 here: [2022/09/04 08:26:29.427] #0 0x498262 in free /data/mci/3c3c046b1b46b72eb7f046666a5afd22/toolchain-builder/tmp/build-llvm-v4.sh-DSy/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 [2022/09/04 08:26:29.427] #1 0x4dcfc5 in key_gen_teardown /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/kv.c:135:5 [2022/09/04 08:26:29.427] #2 0x4f9482 in table_dump_page /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/util.c:317:9 [2022/09/04 08:26:29.427] #3 0x4fb5ce in table_verify_mirror /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:297:29 [2022/09/04 08:26:29.427] #4 0x4fa2d1 in wts_verify /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:365:13 [2022/09/04 08:26:29.427] #5 0x4cd901 in check_copy /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:70:5 [2022/09/04 08:26:29.427] #6 0x4ca224 in backup /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:651:13 [2022/09/04 08:26:29.427] #7 0x7f8dc5dc2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 [2022/09/04 08:26:29.427] previously allocated by thread T80 here: [2022/09/04 08:26:29.427] #0 0x4984cd in malloc /data/mci/3c3c046b1b46b72eb7f046666a5afd22/toolchain-builder/tmp/build-llvm-v4.sh-DSy/llvm-project-llvmorg/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 [2022/09/04 08:26:29.427] #1 0x5062ce in dmalloc /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/utility/misc.c:397:14 [2022/09/04 08:26:29.427] #2 0x4dcd0f in key_gen_init /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/kv.c:118:9 [2022/09/04 08:26:29.427] #3 0x4f9432 in table_dump_page /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/util.c:314:9 [2022/09/04 08:26:29.427] #4 0x4fb5ce in table_verify_mirror /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:297:29 [2022/09/04 08:26:29.427] #5 0x4fa2d1 in wts_verify /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/verify.c:365:13 [2022/09/04 08:26:29.427] #6 0x4cd901 in check_copy /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:70:5 [2022/09/04 08:26:29.427] #7 0x4ca224 in backup /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/backup.c:651:13 [2022/09/04 08:26:29.427] #8 0x7f8dc5dc2608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8 [2022/09/04 08:26:29.427] Thread T80 created by T0 here: [2022/09/04 08:26:29.427] #0 0x482bcc in pthread_create /data/mci/3c3c046b1b46b72eb7f046666a5afd22/toolchain-builder/tmp/build-llvm-v4.sh-DSy/llvm-project-llvmorg/compiler-rt/lib/asan/asan_interceptors.cpp:205:3 [2022/09/04 08:26:29.427] #1 0x7f8dc645acff in __wt_thread_create /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/os_posix/os_thread.c:28:5 [2022/09/04 08:26:29.427] #2 0x4deb65 in operations /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/ops.c:303:9 [2022/09/04 08:26:29.427] #3 0x4f48d1 in main /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../test/format/t.c:376:9 [2022/09/04 08:26:29.427] #4 0x7f8dc5a70082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16 [2022/09/04 08:26:29.427] SUMMARY: AddressSanitizer: heap-use-after-free /data/mci/eafdffe0c4388990d054e32cc91b55c6/wiredtiger/cmake_build/../src/include/btree_cmp_inline.h:232:21 in __wt_lex_compare_skip [2022/09/04 08:26:29.427] Shadow bytes around the buggy address: [2022/09/04 08:26:29.427] 0x0c66800aa8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [2022/09/04 08:26:29.427] 0x0c66800aa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [2022/09/04 08:26:29.427] 0x0c66800aa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [2022/09/04 08:26:29.427] 0x0c66800aa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [2022/09/04 08:26:29.427] 0x0c66800aa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [2022/09/04 08:26:29.427] =>0x0c66800aa900:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] 0x0c66800aa910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] 0x0c66800aa920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] 0x0c66800aa930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] 0x0c66800aa940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] 0x0c66800aa950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [2022/09/04 08:26:29.427] Shadow byte legend (one shadow byte represents 8 application bytes): [2022/09/04 08:26:29.427] Addressable: 00 [2022/09/04 08:26:29.427] Partially addressable: 01 02 03 04 05 06 07 [2022/09/04 08:26:29.427] Heap left redzone: fa [2022/09/04 08:26:29.427] Freed heap region: fd [2022/09/04 08:26:29.427] Stack left redzone: f1 [2022/09/04 08:26:29.427] Stack mid redzone: f2 [2022/09/04 08:26:29.427] Stack right redzone: f3 [2022/09/04 08:26:29.427] Stack after return: f5 [2022/09/04 08:26:29.427] Stack use after scope: f8 [2022/09/04 08:26:29.428] Global redzone: f9 [2022/09/04 08:26:29.428] Global init order: f6 [2022/09/04 08:26:29.428] Poisoned by user: f7 [2022/09/04 08:26:29.428] Container overflow: fc [2022/09/04 08:26:29.428] Array cookie: ac [2022/09/04 08:26:29.428] Intra object redzone: bb [2022/09/04 08:26:29.428] ASan internal: fe [2022/09/04 08:26:29.428] Left alloca redzone: ca [2022/09/04 08:26:29.428] Right alloca redzone: cb [2022/09/04 08:26:29.428] Shadow gap: cc
The same thread (T80) allocated memory in key_gen_init() and then freed it in key_gen_teardown() and subsequently accessed the same memory in __wt_row_search().