Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 10.2.2, 10.3.0
-
Component/s: Storage Engine - InnoDB
-
Labels:
Description
The functions innobase_commit_by_xid() and innobase_rollback_by_xid(), which implement XA ROLLBACK and XA COMMIT for XA PREPARE transactions that are no longer attached to a connection, are freeing the transaction object to the pool prematurely, and then modifying the trx_t::in_depth and trx::in_innodb fields of the freed object. While the object is already free in the pool, it could be reused by trx_create_low() by some other connection. This could cause memory corruption and cause bugs like MDEV-14128 and MDEV-13935.
This bug was caught after adding AddressSanitizer poisoning to the transaction Pool.
Attachments
Issue Links
- relates to
-
MDEV-13935 INSERT INTO stuck at state "Unlocking tables"
-
- Closed
-
-
MDEV-14128 Assertion `trx->in_depth > 0' failed in TrxInInnoDB::exit
-
- Closed
-
-
MDEV-15030 Add ASAN instrumentation
-
- Closed
-