Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Critical
-
Resolution: Unresolved
-
N/A
-
Not for Release Notes
-
Q4/2025 Server Maintenance
Description
CREATE GLOBAL TEMPORARY TABLE t (c INT); |
HANDLER t OPEN AS t; |
CREATE TABLE t (c INT); |
Leads to:
|
MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Optimized, Clang) Build 04/08/2025 |
Core was generated by `/test/MDEV-35915_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd --no-def'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x00005fe67c252c2b in mysql_ha_close_table (handler=handler@entry=0x78b55802cfc0)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_handler.cc:204
|
204 if ((next_global= table->file->get_next_global_for_child()))
|
[Current thread is 1 (LWP 2270141)]
|
(gdb) bt
|
#0 0x00005fe67c252c2b in mysql_ha_close_table (handler=handler@entry=0x78b55802cfc0)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_handler.cc:204
|
#1 0x00005fe67c253fc8 in mysql_ha_rm_tables (thd=thd@entry=0x78b558000c68, tables=<optimized out>)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_handler.cc:1117
|
#2 0x00005fe67c294db6 in mysql_execute_command (thd=thd@entry=0x78b558000c68, is_called_from_prepared_stmt=false)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:3811
|
#3 0x00005fe67c290961 in mysql_parse (thd=thd@entry=0x78b558000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x78b680968420)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:7893
|
#4 0x00005fe67c28ee7f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x78b558000c68, packet=packet@entry=0x78b558008a69 "CREATE TABLE t (c INT) ENGINE=InnoDB", packet_length=packet_length@entry=36, blocking=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:1881
|
#5 0x00005fe67c290d71 in do_command (thd=thd@entry=0x78b558000c68, blocking=true) at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:1420
|
#6 0x00005fe67c3e649d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5fe67fa727e8, put_in_cache=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_connect.cc:1414
|
#7 0x00005fe67c3e625f in handle_one_connection (arg=arg@entry=0x5fe67fa727e8)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_connect.cc:1326
|
#8 0x00005fe67c5a3039 in pfs_spawn_thread (arg=0x5fe67fa22558)at /test/bb-12.0-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
|
#9 0x000078b684a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
|
#10 0x000078b684b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
The same stack is present on ES 11.8 dbg/opt and CS 12.0 dbg.
And to:
|
MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Optimized, UBASAN, Clang) Build 04/08/2025 |
==2772771==ERROR: AddressSanitizer: heap-use-after-free on address 0x5190000537a0 at pc 0x60615831698d bp 0x78547c100610 sp 0x78547c100608
|
READ of size 8 at 0x5190000537a0 thread T12
|
#0 0x60615831698c in mysql_ha_close_table(SQL_HANDLER*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_handler.cc:204:28
|
#1 0x60615831cfd7 in mysql_ha_rm_tables(THD*, TABLE_LIST*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_handler.cc:1117:7
|
#2 0x6061584ac625 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:3811:5
|
#3 0x60615848f180 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
|
#4 0x6061584864d6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
|
#5 0x606158491446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
|
#6 0x606158be917c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
|
#7 0x606158be89d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
|
#8 0x606157366c0c in asan_thread_start(void*) crtstuff.c
|
#9 0x78556949ca93 in start_thread nptl/pthread_create.c:447:8
|
#10 0x785569529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
 |
0x5190000537a0 is located 32 bytes inside of 1064-byte region [0x519000053780,0x519000053ba8)
|
freed by thread T12 here:
|
#0 0x606157368e8a in free (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x284fe8a) (BuildId: aa0e62209f3572e8)
|
#1 0x606159044384 in THD::close_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1428:3
|
#2 0x606159044384 in THD::free_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1763:3
|
#3 0x6061590471e6 in THD::drop_tmp_table_share(TABLE*, TMP_TABLE_SHARE*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:799:5
|
#4 0x60615904924e in THD::commit_global_tmp_tables() /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1455:28
|
#5 0x606157481838 in commit_one_phase_2(THD*, bool, THD_TRANS*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:2245:17
|
#6 0x60615747f157 in ha_commit_trans(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:1977:12
|
#7 0x606158c46f87 in trans_commit_stmt(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/transaction.cc:498:10
|
#8 0x6061584b6992 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5949:7
|
#9 0x60615848f180 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
|
#10 0x6061584864d6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
|
#11 0x606158491446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
|
#12 0x606158be917c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
|
#13 0x606158be89d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
|
#14 0x606157366c0c in asan_thread_start(void*) crtstuff.c
|
 |
previously allocated by thread T12 here:
|
#0 0x606157369123 in malloc (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2850123) (BuildId: aa0e62209f3572e8)
|
#1 0x606159f6a872 in my_malloc /test/bb-12.0-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
|
#2 0x60615903caf4 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1292:26
|
#3 0x60615903ba91 in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:139:12
|
#4 0x606158907543 in create_table_impl(THD*, st_ddl_log_state*, st_ddl_log_state*, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO*, Alter_info*, int, bool*, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:4951:24
|
#5 0x606158904e2d in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:5039:8
|
#6 0x60615890ba4d in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:6194:14
|
#7 0x606158002fc0 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:2330:22
|
#8 0x60615800fcaf in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:4285:14
|
#9 0x60615800fcaf in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:4771:14
|
#10 0x606157fecfcf in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.h:514:10
|
#11 0x606158313f4f in mysql_ha_open(THD*, TABLE_LIST*, SQL_HANDLER*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_handler.cc:345:11
|
#12 0x6061584b3da6 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5451:10
|
#13 0x60615848f180 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
|
#14 0x6061584864d6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
|
#15 0x606158491446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
|
#16 0x606158be917c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
|
#17 0x606158be89d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
|
#18 0x606157366c0c in asan_thread_start(void*) crtstuff.c
|
 |
Thread T12 created by T0 here:
|
#0 0x60615734ea95 in pthread_create (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2835a95) (BuildId: aa0e62209f3572e8)
|
#1 0x6061573b9d01 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
|
#2 0x6061573baeea in handle_connections_sockets() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
|
#3 0x6061573b9050 in run_main_loop() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
|
#4 0x6061573b042b in mysqld_main(int, char**) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
|
#5 0x78556942a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x78556942a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x6061572ce2d4 in _start (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x27b52d4) (BuildId: aa0e62209f3572e8)
|
 |
SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_handler.cc:204:28 in mysql_ha_close_table(SQL_HANDLER*)
|
Shadow bytes around the buggy address:
|
0x519000053500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
|
0x519000053700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x519000053780: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x519000053a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==2772771==ABORTING
|
250805 10:17:29 [ERROR] /test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd got signal 6 ;
|
The same ASAN issue is present on ES 11.8 dbg/opt and CS 12.0 dbg.
Affects at least InnoDB + MyISAM.
Attachments
Issue Links
- is caused by
-
MDEV-35915 Implement Global temporary tables
-
- In Testing
-