Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15518

XA: Server crash or ASAN heap-use-after-free in ha_innobase::delete_table

    XMLWordPrintable

Details

    Description

      Note: According to marko, it can be a member of MDEV-14693 family.

      --source include/have_innodb.inc
      		 
       
      		 
      CREATE TABLE t1 (a INT) ENGINE=InnoDB;
      		 
       
      		 
      --connect (con1,localhost,root,,test)
      		 
      XA START 'xid';
      		 
      CREATE TEMPORARY TABLE tmp (b INT) ENGINE=InnoDB;
      		 
      INSERT INTO t1 VALUES (1);
      		 
       
      		 
      --error ER_XAER_RMFAIL
      		 
      COMMIT;
      		 
       
      		 
      # Could also be --ER_XAER_NOTA
      		 
      # XA COMMIT 'non_existing_xid'; 
      # etc.
      		 
       
      		 
      --connection default
      		 
      DROP TABLE t1;

      10.2 8f98835bb86

      		 
      #3  <signal handler called>
      		 
      #4  0x00007f3e62b3f34e in __strcmp_sse2_unaligned () from /lib/x86_64-linux-gnu/libc.so.6
      		 
      #5  0x00005574d2b3cfd0 in ha_innobase::delete_table (this=0x7f3de8011028, name=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:13512
      		 
      #6  0x00005574d28254dc in handler::ha_delete_table (this=0x7f3de8011028, name=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/sql/handler.cc:4337
      		 
      #7  0x00005574d279a967 in THD::rm_temporary_table (this=0x7f3de8000b00, base=0x5574d4645290, path=0x7f3de80258f8 "/data/bld/10.2/data/tmp/#sql8ab_9_0") at /data/src/10.2/sql/temporary_tables.cc:676
      		 
      #8  0x00005574d279c533 in THD::free_tmp_table_share (this=0x7f3de8000b00, share=0x7f3de80253e0, delete_table=true) at /data/src/10.2/sql/temporary_tables.cc:1445
      		 
      #9  0x00005574d279a428 in THD::close_temporary_tables (this=0x7f3de8000b00) at /data/src/10.2/sql/temporary_tables.cc:509
      		 
      #10 0x00005574d255f40f in THD::cleanup (this=0x7f3de8000b00) at /data/src/10.2/sql/sql_class.cc:1462
      		 
      #11 0x00005574d24c78d2 in unlink_thd (thd=0x7f3de8000b00) at /data/src/10.2/sql/mysqld.cc:2910
      		 
      #12 0x00005574d24c7d73 in one_thread_per_connection_end (thd=0x7f3de8000b00, put_in_cache=true) at /data/src/10.2/sql/mysqld.cc:3055
      		 
      #13 0x00005574d26f272f in do_handle_one_connection (connect=0x5574d507f1f0) at /data/src/10.2/sql/sql_connect.cc:1354
      		 
      #14 0x00005574d26f23d3 in handle_one_connection (arg=0x5574d507f1f0) at /data/src/10.2/sql/sql_connect.cc:1241
      		 
      #15 0x00007f3e647b2494 in start_thread (arg=0x7f3e60257700) at pthread_create.c:333
      		 
      #16 0x00007f3e62b9893f in clone () from /lib/x86_64-linux-gnu/libc.so.6


      ==330==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000067c18 at pc 0x55fdc35543e3 bp 0x7f2b649aff30 sp 0x7f2b649aff28
      		 
      READ of size 8 at 0x617000067c18 thread T32
      		 
          #0 0x55fdc35543e2 in ha_innobase::delete_table(char const*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:13512
      		 
          #1 0x55fdc2dabcf8 in handler::ha_delete_table(char const*) /data/src/10.2/sql/handler.cc:4337
      		 
          #2 0x55fdc2c5215f in THD::rm_temporary_table(handlerton*, char const*) /data/src/10.2/sql/temporary_tables.cc:676
      		 
          #3 0x55fdc2c5626b in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.2/sql/temporary_tables.cc:1445
      		 
          #4 0x55fdc2c515c1 in THD::close_temporary_tables() /data/src/10.2/sql/temporary_tables.cc:509
      		 
          #5 0x55fdc27025dc in THD::cleanup() /data/src/10.2/sql/sql_class.cc:1462
      		 
          #6 0x55fdc25b3412 in unlink_thd(THD*) /data/src/10.2/sql/mysqld.cc:2910
      		 
          #7 0x55fdc25b3d13 in one_thread_per_connection_end(THD*, bool) /data/src/10.2/sql/mysqld.cc:3055
      		 
          #8 0x55fdc2ae660b in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1354
      		 
          #9 0x55fdc2ae5dfe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
      		 
          #10 0x7f2b99b7f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #11 0x7f2b97f6593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

      Could not reproduce on 10.1 or 10.3.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15533 Assertion `log->blobs' failed in row_log_table_apply_update

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-14693 XA: Assertion `!clust_index->online_log' failed in rollback_inplace_alter_table

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15490 XA: ASAN heap-use-after-free or valgrind Invalid write in trx_update_mod_tables_timestamp

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15532 XA: Assertion `!log->same_pk' failed in row_log_table_apply_delete

          • Major - Major loss of function.
          • Closed

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.