[MDEV-37383] Crash in end_read_record after REPAIR of Global temporary table - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Progress (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: ROADMAP
Component/s: Data Definition - Temporary, Locking, Storage Engine - InnoDB
Labels:

Bug Category:
Not for Release Notes
Sprint:
Q4/2025 Server Maintenance

Description

--source include/have_innodb.inc

CREATE GLOBAL TEMPORARY TABLE t (c INT) ENGINE=InnoDB;

REPAIR LOCAL TABLE t;

DELETE FROM t;

Leads to:

MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Optimized, Clang) Build 04/08/2025
Core was generated by `/test/MDEV-35915_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd --no-def'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00006022a165ef48 in end_read_record (info=info@entry=0x7a21d41f98e0)at /test/bb-12.0-nikita-global-tmp_opt/sql/records.cc:354
354 (void) info->table->file->extra(HA_EXTRA_NO_CACHE);
[Current thread is 1 (LWP 4085554)]
(gdb) bt
#0 0x00006022a165ef48 in end_read_record (info=info@entry=0x7a21d41f98e0)at /test/bb-12.0-nikita-global-tmp_opt/sql/records.cc:354
#1 0x00006022a1867ffe in copy_data_between_tables (thd=thd@entry=0x7a20a4000c68, from=from@entry=0x7a20a402bf18, to=to@entry=0x7a20a4027f18, ignore=<optimized out>, order_num=<optimized out>, order=<optimized out>, copied=0x7a21d41faf10, deleted=0x7a21d41faf18, alter_info=0x7a21d41fd0d0, alter_ctx=0x7a21d41fb9d0, online=<optimized out>, start_alter_id=0)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_table.cc:13224
#2 0x00006022a186171f in mysql_alter_table (thd=thd@entry=0x7a20a4000c68, new_db=<optimized out>, new_name=<optimized out>, create_info=create_info@entry=0x7a21d41fd250, table_list=0x7a20a40177b8, recreate_info=recreate_info@entry=0x7a21d41fda90, alter_info=0x7a21d41fd0d0, order_num=0, order=0x0, ignore=<optimized out>, if_exists=<optimized out>)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_table.cc:12073
#3 0x00006022a1869005 in mysql_recreate_table (thd=thd@entry=0x7a20a4000c68, table_list=table_list@entry=0x7a20a40177b8, recreate_info=recreate_info@entry=0x7a21d41fda90, table_copy=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_table.cc:13298
#4 0x00006022a18f1671 in admin_recreate_table (thd=thd@entry=0x7a20a4000c68, table_list=table_list@entry=0x7a20a40177b8, recreate_info=recreate_info@entry=0x7a21d41fda90, table_copy=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_admin.cc:78
#5 0x00006022a18efdb7 in mysql_admin_table (thd=thd@entry=0x7a20a4000c68, tables=tables@entry=0x7a20a40177b8, check_opt=check_opt@entry=0x7a20a4006400, operator_name=0x6022a208ef38 <msg_repair>, lock_type=lock_type@entry=TL_WRITE, org_open_for_modify=true, no_errors_from_open=<optimized out>, extra_open_options=32, prepare_func=0x6022a18f0c50 <prepare_for_repair(THD, TABLE_LIST, st_ha_check_opt)>, operator_func=(int (handler::)(handler * const, THD , HA_CHECK_OPT )) 0x6022a14dad20 <handler::ha_repair(THD, st_ha_check_opt)>, view_operator_func=0x6022a18901f0 <view_repair(THD, TABLE_LIST, st_ha_check_opt*)>, is_cmd_replicated=<optimized out>)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_admin.cc:1132
#6 0x00006022a18f0c24 in Sql_cmd_repair_table::execute (this=<optimized out>, thd=0x7a20a4000c68)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_admin.cc:1730
#7 0x00006022a178efa3 in mysql_execute_command (thd=thd@entry=0x7a20a4000c68, is_called_from_prepared_stmt=false)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:5865
#8 0x00006022a178a961 in mysql_parse (thd=thd@entry=0x7a20a4000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7a21d41fe420)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:7893
#9 0x00006022a1788e7f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7a20a4000c68, packet=packet@entry=0x7a20a4008a69 "", packet_length=packet_length@entry=20, blocking=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:1881
#10 0x00006022a178ad71 in do_command (thd=thd@entry=0x7a20a4000c68, blocking=true) at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_parse.cc:1420
#11 0x00006022a18e049d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x6022a44f27e8, put_in_cache=true)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_connect.cc:1414
#12 0x00006022a18e025f in handle_one_connection (arg=arg@entry=0x6022a44f27e8)at /test/bb-12.0-nikita-global-tmp_opt/sql/sql_connect.cc:1326
#13 0x00006022a1a9d039 in pfs_spawn_thread (arg=0x6022a44a2558)at /test/bb-12.0-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
#14 0x00007a21d5c9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#15 0x00007a21d5d29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Debug, Clang) Build 04/08/2025
mariadbd: /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:3750: int handler::ha_close(): Assertion `m_lock_type == 2' failed.

MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Debug, Clang) Build 04/08/2025
Core was generated by `/test/MDEV-35915_MD040825-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd --no-def'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 4109676)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#3 0x000078b6a6e4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#4 0x000078b6a6e288ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x000078b6a6e2881b in __assert_fail_base (fmt=0x78b6a6fd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x64fc86356763 "m_lock_type == 2", file=file@entry=0x64fc862e5630 "/test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc", line=line@entry=3750, function=function@entry=0x64fc863c6581 "int handler::ha_close()")at ./assert/assert.c:94
#6 0x000078b6a6e3b507 in __assert_fail (assertion=0x64fc86356763 "m_lock_type == 2", file=0x64fc862e5630 "/test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc", line=3750, function=0x64fc863c6581 "int handler::ha_close()")at ./assert/assert.c:103
#7 0x000064fc86b5ddfb in handler::ha_close (this=0x78b55803b548)at /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:3750
#8 0x000064fc87198f98 in closefrm (table=0x78b558035018)at /test/bb-12.0-nikita-global-tmp_dbg/sql/table.cc:4862
#9 0x000064fc87373906 in THD::close_temporary_table (this=0x78b558000d58, table=0x78b558035018)at /test/bb-12.0-nikita-global-tmp_dbg/sql/temporary_tables.cc:1427
#10 0x000064fc873721e5 in THD::free_temporary_table (this=0x78b558000d58, table=0x78b558035018)at /test/bb-12.0-nikita-global-tmp_dbg/sql/temporary_tables.cc:1763
#11 0x000064fc87372eff in THD::drop_tmp_table_share (this=0x78b558000d58, table=0x0, share=0x78b558026128, delete_table=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/temporary_tables.cc:799
#12 0x000064fc87373b2f in THD::commit_global_tmp_tables (this=0x78b558000d58)at /test/bb-12.0-nikita-global-tmp_dbg/sql/temporary_tables.cc:1455
#13 0x000064fc873741ab in commit_global_tmp_table (thd=0x78b558000d58, all=false)at /test/bb-12.0-nikita-global-tmp_dbg/sql/temporary_tables.cc:1867
#14 0x000064fc86b59d0f in commit_one_phase_2 (thd=0x78b558000d58, all=false, trans=0x78b5580049a8, is_real_trans=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:2245
#15 0x000064fc86b5a42c in ha_commit_one_phase (thd=0x78b558000d58, all=false)at /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:2185
#16 0x000064fc86b5891e in ha_commit_trans (thd=0x78b558000d58, all=false)at /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:1977
#17 0x000064fc86b64f9e in ha_enable_transaction (thd=0x78b558000d58, on=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/handler.cc:6087
#18 0x000064fc87145789 in mysql_trans_commit_alter_copy_data (thd=0x78b558000d58)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_table.cc:12569
#19 0x000064fc871447e4 in copy_data_between_tables (thd=0x78b558000d58, from=0x78b558034be8, to=0x78b558035018, ignore=true, order_num=0, order=0x0, copied=0x78b69ff2bdb0, deleted=0x78b69ff2bda8, alter_info=0x78b69ff2e518, alter_ctx=0x78b69ff2cdb8, online=false, start_alter_id=0)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_table.cc:13196
#20 0x000064fc87139308 in mysql_alter_table (thd=0x78b558000d58, new_db=0x64fc865a9780 <null_clex_str>, new_name=0x64fc865a9780 <null_clex_str>, create_info=0x78b69ff2e690, table_list=0x78b558019fb8, recreate_info=0x78b69ff2ff00, alter_info=0x78b69ff2e518, order_num=0, order=0x0, ignore=true, if_exists=false)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_table.cc:12073
#21 0x000064fc8714597d in mysql_recreate_table (thd=0x78b558000d58, table_list=0x78b558019fb8, recreate_info=0x78b69ff2ff00, table_copy=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_table.cc:13298
#22 0x000064fc872243f4 in admin_recreate_table (thd=0x78b558000d58, table_list=0x78b558019fb8, recreate_info=0x78b69ff2ff00, table_copy=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_admin.cc:78
#23 0x000064fc8722095e in mysql_admin_table (thd=0x78b558000d58, tables=0x78b558019fb8, check_opt=0x78b5580064c8, operator_name=0x64fc87e925d8 <msg_repair>, lock_type=TL_WRITE, org_open_for_modify=true, no_errors_from_open=false, extra_open_options=32, prepare_func=0x64fc872230f0 <prepare_for_repair(THD, TABLE_LIST, st_ha_check_opt)>, operator_func=(int (handler::)(class handler * const, class THD , HA_CHECK_OPT )) 0x64fc86b63180 <handler::ha_repair(THD, st_ha_check_opt)>, view_operator_func=0x64fc87186950 <view_repair(THD, TABLE_LIST, st_ha_check_opt*)>, is_cmd_replicated=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_admin.cc:1132
#24 0x000064fc872230ab in Sql_cmd_repair_table::execute (this=0x78b55801a6f0, thd=0x78b558000d58)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_admin.cc:1730
#25 0x000064fc86ff94bd in mysql_execute_command (thd=0x78b558000d58, is_called_from_prepared_stmt=false)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_parse.cc:5865
#26 0x000064fc86fe87f4 in mysql_parse (thd=0x78b558000d58, rawbuf=0x78b558019ef0 "REPAIR LOCAL TABLE t", length=20, parser_state=0x78b69ff31a10)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_parse.cc:7893
#27 0x000064fc86fe5bc8 in dispatch_command (command=COM_QUERY, thd=0x78b558000d58, packet=0x78b55800b269 "", packet_length=20, blocking=true) at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_parse.cc:1881
#28 0x000064fc86fe93a3 in do_command (thd=0x78b558000d58, blocking=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_parse.cc:1420
#29 0x000064fc87207659 in do_handle_one_connection (connect=0x64fc89673978, put_in_cache=true)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#30 0x000064fc872073fe in handle_one_connection (arg=0x64fc8967e9d8)at /test/bb-12.0-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#31 0x000078b6a6e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#32 0x000078b6a6f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And ASAN sees a heap-use-after-free in optimized builds (debug crashes with the m_lock_type == 2 assert:

MDEV-35915 CS 12.0.1 21489191d3683c5655afa170533480c86843ecba (Optimized, UBASAN, Clang) Build 04/08/2025
==3888310==ERROR: AddressSanitizer: heap-use-after-free on address 0x519000054e34 at pc 0x57bee515f676 bp 0x7143208ffb70 sp 0x7143208ffb68
READ of size 4 at 0x519000054e34 thread T12
#0 0x57bee515f675 in end_read_record(READ_RECORD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/records.cc:353:22
#1 0x57bee5cb3e57 in copy_data_between_tables(THD, TABLE, TABLE, bool, unsigned int, st_order, unsigned long long, unsigned long long, Alter_info, Alter_table_ctx, bool, unsigned long long) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13224:5
#2 0x57bee5c8d42b in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:12073:9
#3 0x57bee5cba24a in mysql_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13298:13
#4 0x57bee5f9fa67 in admin_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:78:17
#5 0x57bee5f958a5 in mysql_admin_table(THD, TABLE_LIST, st_ha_check_opt, st_mysql_const_lex_string const, thr_lock_type, bool, bool, unsigned int, int ()(THD, TABLE_LIST, st_ha_check_opt), int (handler::)(THD, st_ha_check_opt), int ()(THD, TABLE_LIST, st_ha_check_opt*), bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1132:20
#6 0x57bee5f9c24b in Sql_cmd_repair_table::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1730:8
#7 0x57bee580c049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#8 0x57bee57ee180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#9 0x57bee57e54d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#10 0x57bee57f0446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#11 0x57bee5f4817c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#12 0x57bee5f479d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#13 0x57bee46c5c0c in asan_thread_start(void*) crtstuff.c
#14 0x71440e09ca93 in start_thread nptl/pthread_create.c:447:8
#15 0x71440e129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x519000054e34 is located 692 bytes inside of 1064-byte region [0x519000054b80,0x519000054fa8)
freed by thread T12 here:
#0 0x57bee46c7e8a in free (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x284fe8a) (BuildId: aa0e62209f3572e8)
#1 0x57bee63a3384 in THD::close_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1428:3
#2 0x57bee63a3384 in THD::free_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1763:3
#3 0x57bee63a61e6 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:799:5
#4 0x57bee63a824e in THD::commit_global_tmp_tables() /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1455:28
#5 0x57bee47e0838 in commit_one_phase_2(THD, bool, THD_TRANS, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:2245:17
#6 0x57bee47de157 in ha_commit_trans(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:1977:12
#7 0x57bee4809f67 in ha_enable_transaction(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:6087:9
#8 0x57bee5cb97d7 in mysql_trans_commit_alter_copy_data(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:12569:7
#9 0x57bee5cb3e2b in copy_data_between_tables(THD, TABLE, TABLE, bool, unsigned int, st_order, unsigned long long, unsigned long long, Alter_info, Alter_table_ctx, bool, unsigned long long) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13196:7
#10 0x57bee5c8d42b in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:12073:9
#11 0x57bee5cba24a in mysql_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13298:13
#12 0x57bee5f9fa67 in admin_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:78:17
#13 0x57bee5f958a5 in mysql_admin_table(THD, TABLE_LIST, st_ha_check_opt, st_mysql_const_lex_string const, thr_lock_type, bool, bool, unsigned int, int ()(THD, TABLE_LIST, st_ha_check_opt), int (handler::)(THD, st_ha_check_opt), int ()(THD, TABLE_LIST, st_ha_check_opt*), bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1132:20
#14 0x57bee5f9c24b in Sql_cmd_repair_table::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1730:8
#15 0x57bee580c049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#16 0x57bee57ee180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#17 0x57bee57e54d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#18 0x57bee57f0446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#19 0x57bee5f4817c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#20 0x57bee5f479d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#21 0x57bee46c5c0c in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x57bee46c8123 in malloc (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2850123) (BuildId: aa0e62209f3572e8)
#1 0x57bee72c9872 in my_malloc /test/bb-12.0-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x57bee639baf4 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1292:26
#3 0x57bee639aa91 in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string, char const, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:139:12
#4 0x57bee5c66543 in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:4951:24
#5 0x57bee5c63e2d in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:5039:8
#6 0x57bee5c6aa4d in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:6194:14
#7 0x57bee5361fc0 in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:2330:22
#8 0x57bee536ecaf in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:4285:14
#9 0x57bee536ecaf in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:4771:14
#10 0x57bee5c827b8 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.h:282:10
#11 0x57bee5c827b8 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:10966:10
#12 0x57bee5cba24a in mysql_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13298:13
#13 0x57bee5f9fa67 in admin_recreate_table(THD, TABLE_LIST, Recreate_info*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:78:17
#14 0x57bee5f958a5 in mysql_admin_table(THD, TABLE_LIST, st_ha_check_opt, st_mysql_const_lex_string const, thr_lock_type, bool, bool, unsigned int, int ()(THD, TABLE_LIST, st_ha_check_opt), int (handler::)(THD, st_ha_check_opt), int ()(THD, TABLE_LIST, st_ha_check_opt*), bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1132:20
#15 0x57bee5f9c24b in Sql_cmd_repair_table::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_admin.cc:1730:8
#16 0x57bee580c049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#17 0x57bee57ee180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#18 0x57bee57e54d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#19 0x57bee57f0446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#20 0x57bee5f4817c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#21 0x57bee5f479d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#22 0x57bee46c5c0c in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x57bee46ada95 in pthread_create (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2835a95) (BuildId: aa0e62209f3572e8)
#1 0x57bee4718d01 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x57bee4719eea in handle_connections_sockets() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x57bee4718050 in run_main_loop() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x57bee470f42b in mysqld_main(int, char**) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x71440e02a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x71440e02a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x57bee462d2d4 in _start (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x27b52d4) (BuildId: aa0e62209f3572e8)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.0-nikita-global-tmp_opt_san/sql/records.cc:353:22 in end_read_record(READ_RECORD*)
Shadow bytes around the buggy address:
0x519000054b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x519000054e00: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x519000054e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000054f80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x519000055000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x519000055080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3888310==ABORTING
250805 11:44:24 [ERROR] /test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd got signal 6 ;

Similar stacks for all of the stacks above on ES. MyISAM not affected. Please note the same assert is seen in MDEV-35014.

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

relates to

MDEV-35014 Assertion `m_lock_type == 2' failed in int handler::ha_close()

Open

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-08-05 01:52

Updated:: Yesterday 15:17

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.