[MDEV-37394] SIGSEGV in handler::ha_external_lock on CREATE GTT ... ENGINE=INNODB SELECT, ASAN heap-use-after-free in unlock_external - Jira

XML

Word

Printable

Details

Type: Bug
Status: In Progress (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Create Table, Data Definition - Temporary, Locking, Storage Engine - InnoDB
Labels:

Bug Category:
Not for Release Notes
Sprint:
Q4/2025 Server Maintenance

Description

--source include/have_innodb.inc

CREATE GLOBAL TEMPORARY TABLE t (c INT) ENGINE=InnoDB AS SELECT 1 QUERY;

Leads to:

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Optimized, Clang) Build 31/07/2025
Core was generated by `/test/MDEV-35915_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd --no-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 handler::ha_external_lock (this=0x0, thd=0x744a88000c68, lock_type=2)at /test/11.8-enterprise-global-tmp_opt/sql/handler.cc:7706
7706 (void) table->unlock_hlindexes();
[Current thread is 1 (LWP 1893505)]
(gdb) bt
#0 handler::ha_external_lock (this=0x0, thd=0x744a88000c68, lock_type=2)at /test/11.8-enterprise-global-tmp_opt/sql/handler.cc:7706
#1 0x00005d0ce490c7e4 in handler::ha_external_unlock (this=0x0, thd=0x744a88000c68)at /test/11.8-enterprise-global-tmp_opt/sql/handler.h:3598
#2 unlock_external (thd=0x744a88000c68, table=0x744a8801b248, count=<optimized out>)at /test/11.8-enterprise-global-tmp_opt/sql/lock.cc:742
#3 mysql_unlock_tables (thd=0x744a88000c68, sql_lock=0x744a8801b228, free_lock=false) at /test/11.8-enterprise-global-tmp_opt/sql/lock.cc:433
#4 0x00005d0ce49e6414 in select_create::send_eof (this=0x744a88019038)at /test/11.8-enterprise-global-tmp_opt/sql/sql_insert.cc:5497
#5 0x00005d0ce4a6d109 in JOIN::exec_inner (this=this@entry=0x744a88019178)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:4958
#6 0x00005d0ce4a52c37 in JOIN::exec (this=0x744a88019178)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:4859
#7 mysql_select (thd=thd@entry=0x744a88000c68, tables=<optimized out>, fields=@0x744a880181f8: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x744a88018498, last = 0x744a88018498, elements = 1}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x744a88019038, unit=0x744a88004fc8, select_lex=0x744a88017f20)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:5392
#8 0x00005d0ce4a528b9 in handle_select (thd=thd@entry=0x744a88000c68, lex=lex@entry=0x744a88004ee8, result=result@entry=0x744a88019038, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:633
#9 0x00005d0ce4af289b in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x744a88000c68)at /test/11.8-enterprise-global-tmp_opt/sql/sql_table.cc:13777
#10 0x00005d0ce4a1790e in mysql_execute_command (thd=thd@entry=0x744a88000c68, is_called_from_prepared_stmt=false)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:5898
#11 0x00005d0ce4a12f51 in mysql_parse (thd=thd@entry=0x744a88000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x744bb8501420)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:7947
#12 0x00005d0ce4a113c4 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x744a88000c68, packet=packet@entry=0x744a880088f9 "CREATE GLOBAL TEMPORARY TABLE t (x INT) AS SELECT 1 QUERY", packet_length=packet_length@entry=57, blocking=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:1913
#13 0x00005d0ce4a13361 in do_command (thd=thd@entry=0x744a88000c68, blocking=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:1426
#14 0x00005d0ce4b68a9d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5d0ce73703b8, put_in_cache=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_connect.cc:1415
#15 0x00005d0ce4b6885f in handle_one_connection (arg=arg@entry=0x5d0ce73703b8)at /test/11.8-enterprise-global-tmp_opt/sql/sql_connect.cc:1327
#16 0x00005d0ce4d20c09 in pfs_spawn_thread (arg=0x5d0ce730fd28)at /test/11.8-enterprise-global-tmp_opt/storage/perfschema/pfs.cc:2198
#17 0x0000744bb9a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x0000744bb9b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Debug, UBASAN, Clang) Build 31/07/2025
mariadbd: /test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc:3734: int handler::ha_close(): Assertion `m_lock_type == 2' failed.

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Debug, UBASAN, Clang) Build 31/07/2025
Core was generated by `/test/MDEV-35915_UBASAN_EMD310725-mariadb-11.8.3-1-linux-x86_64-dbg/bin/mariadb'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 1895503)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=6)at ./nptl/pthread_kill.c:89
#3 0x0000556b9c621125 in handle_fatal_signal (sig=<optimized out>)at /test/11.8-enterprise-global-tmp_dbg_san/sql/signal_handler.cc:298
#4 <signal handler called>
#5 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#6 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#7 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#8 0x000072d64084526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#9 0x000072d6408288ff in __GI_abort () at ./stdlib/abort.c:79
#10 0x000072d64082881b in __assert_fail_base (fmt=0x72d6409d01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x556b9ae928a0 <str> "m_lock_type == 2", file=file@entry=0x556b9ae8dbb4 "/test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc", line=line@entry=3734, function=function@entry=0x556b9ae92ac0 <__PRETTY_FUNCTION__._ZN7handler8ha_closeEv> "int handler::ha_close()") at ./assert/assert.c:94
#11 0x000072d64083b507 in __assert_fail (assertion=0x556b9ae928a0 <str> "m_lock_type == 2", file=0x556b9ae8dbb4 "/test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc", line=3734, function=0x556b9ae92ac0 <__PRETTY_FUNCTION__._ZN7handler8ha_closeEv> "int handler::ha_close()") at ./assert/assert.c:103
#12 0x0000556b9bd8b8f0 in handler::ha_close (this=<optimized out>)at /test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc:3734
#13 0x0000556b9d424bd2 in closefrm (table=table@entry=0x519000052d98)at /test/11.8-enterprise-global-tmp_dbg_san/sql/table.cc:4855
#14 0x0000556b9da3dcf9 in THD::close_temporary_table (this=this@entry=0x52b000165218, table=0x1cec4f, table@entry=0x519000052d98)at /test/11.8-enterprise-global-tmp_dbg_san/sql/temporary_tables.cc:1363
#15 0x0000556b9da3bb50 in THD::free_temporary_table (this=0x52b000165218, table=0x519000052d98)at /test/11.8-enterprise-global-tmp_dbg_san/sql/temporary_tables.cc:1648
#16 THD::drop_tmp_table_share (this=this@entry=0x52b000165218, table=table@entry=0x0, share=share@entry=0x51d0001cac98, delete_table=true)at /test/11.8-enterprise-global-tmp_dbg_san/sql/temporary_tables.cc:749
#17 0x0000556b9da3e126 in THD::commit_global_tmp_tables (this=0x52b000165218)at /test/11.8-enterprise-global-tmp_dbg_san/sql/temporary_tables.cc:1389
#18 0x0000556b9bd79b67 in commit_one_phase_2 (thd=0x52b000165218, all=false, trans=<optimized out>, is_real_trans=true)at /test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc:2239
#19 0x0000556b9bd7748e in ha_commit_trans (thd=<optimized out>, all=<optimized out>)at /test/11.8-enterprise-global-tmp_dbg_san/sql/handler.cc:1973
#20 0x0000556b9d6128e9 in trans_commit_stmt (thd=0x52b000165218)at /test/11.8-enterprise-global-tmp_dbg_san/sql/transaction.cc:496
#21 0x0000556b9cd14b8f in select_create::send_eof (this=0x52d000173fc8)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_insert.cc:5413
#22 0x0000556b9d01d9ba in JOIN::exec_inner (this=0x52d000174110)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_select.cc:4958
#23 0x0000556b9d01a4e3 in JOIN::exec (this=0x52d000174110)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_select.cc:4859
#24 0x0000556b9cf92cc5 in mysql_select (thd=0x52b000165218, tables=tables@entry=0x0, fields=<optimized out>, conds=<optimized out>, og_num=og_num@entry=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x52d000173fc8, unit=0x52b000169548, select_lex=0x52d000172e38)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_select.cc:5392
#25 0x0000556b9cf915a3 in handle_select (thd=thd@entry=0x52b000165218, lex=lex@entry=0x52b000169468, result=result@entry=0x52d000173fc8, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_select.cc:633
#26 0x0000556b9d3055dc in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x52b000165218)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_table.cc:13777
#27 0x0000556b9ce3568b in mysql_execute_command (thd=0x52b000165218, is_called_from_prepared_stmt=<optimized out>)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_parse.cc:5898
#28 0x0000556b9ce12ef9 in mysql_parse (thd=thd@entry=0x52b000165218, rawbuf=rawbuf@entry=0x52d000172438 "CREATE GLOBAL TEMPORARY TABLE t (x INT) AS SELECT 1 QUERY", length=<optimized out>, parser_state=parser_state@entry=0x72d551d118a0)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_parse.cc:7947
#29 0x0000556b9ce0c049 in dispatch_command (command=<optimized out>, thd=0x52b000165218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_parse.cc:1913
#30 0x0000556b9ce15a74 in do_command (thd=thd@entry=0x52b000165218, blocking=true)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_parse.cc:1426
#31 0x0000556b9d5abded in do_handle_one_connection (connect=<optimized out>, connect@entry=0x508000002d38, put_in_cache=true)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_connect.cc:1415
#32 0x0000556b9d5ab6a8 in handle_one_connection (arg=0x508000002d38)at /test/11.8-enterprise-global-tmp_dbg_san/sql/sql_connect.cc:1327
#33 0x0000556b9bc41dad in asan_thread_start(void*) ()
#34 0x000072d64089ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#35 0x000072d640929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Optimized, UBASAN, Clang) Build 31/07/2025
==1900085==ERROR: AddressSanitizer: heap-use-after-free on address 0x519000053a40 at pc 0x577c1f894170 bp 0x781083500140 sp 0x781083500138
READ of size 4 at 0x519000053a40 thread T12
#0 0x577c1f89416f in unlock_external(THD, TABLE*, unsigned int) /test/bb-12.0-nikita-global-tmp_opt_san/sql/lock.cc:788:19
#1 0x577c1f89450a in mysql_unlock_tables(THD, st_mysql_lock, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/lock.cc:482:12
#2 0x577c20727204 in select_create::send_eof() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_insert.cc:5533:5
#3 0x577c20a1ffee in JOIN::exec_inner() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:4951:30
#4 0x577c20a1ea10 in JOIN::exec() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:4857:8
#5 0x577c2099ae66 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:5385:21
#6 0x577c209995a0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:634:10
#7 0x577c20d0be1a in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13812:20
#8 0x577c20858049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#9 0x577c2083a180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#10 0x577c208314d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#11 0x577c2083c446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#12 0x577c20f9417c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#13 0x577c20f939d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#14 0x577c1f711c0c in asan_thread_start(void*) crtstuff.c
#15 0x781170e9ca93 in start_thread nptl/pthread_create.c:447:8
#16 0x781170f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x519000053a40 is located 704 bytes inside of 1064-byte region [0x519000053780,0x519000053ba8)
freed by thread T12 here:
#0 0x577c1f713e8a in free (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x284fe8a) (BuildId: aa0e62209f3572e8)
#1 0x577c213ef384 in THD::close_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1428:3
#2 0x577c213ef384 in THD::free_temporary_table(TABLE*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1763:3
#3 0x577c213f21e6 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:799:5
#4 0x577c213f424e in THD::commit_global_tmp_tables() /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1455:28
#5 0x577c1f82c838 in commit_one_phase_2(THD, bool, THD_TRANS, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:2245:17
#6 0x577c1f82a157 in ha_commit_trans(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/handler.cc:1977:12
#7 0x577c20ff1f87 in trans_commit_stmt(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/transaction.cc:498:10
#8 0x577c20725bfe in select_create::send_eof() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_insert.cc:5449:9
#9 0x577c20a1ffee in JOIN::exec_inner() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:4951:30
#10 0x577c20a1ea10 in JOIN::exec() /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:4857:8
#11 0x577c2099ae66 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:5385:21
#12 0x577c209995a0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:634:10
#13 0x577c20d0be1a in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13812:20
#14 0x577c20858049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#15 0x577c2083a180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#16 0x577c208314d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#17 0x577c2083c446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#18 0x577c20f9417c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#19 0x577c20f939d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#20 0x577c1f711c0c in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x577c1f714123 in malloc (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2850123) (BuildId: aa0e62209f3572e8)
#1 0x577c22315872 in my_malloc /test/bb-12.0-nikita-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x577c213e7af4 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1292:26
#3 0x577c213e6a91 in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string, char const, Lex_ident_db const&, Lex_ident_table const&, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/temporary_tables.cc:139:12
#4 0x577c20cb2543 in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:4951:24
#5 0x577c20cafe2d in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:5039:8
#6 0x577c20cb6a4d in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:6194:14
#7 0x577c203adfc0 in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_base.cc:2330:22
#8 0x577c20719f16 in select_create::create_table_from_items(THD, List<Item>, st_mysql_lock**) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_insert.cc:4937:11
#9 0x577c2071da0c in select_create::prepare(List<Item>&, st_select_lex_unit*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_insert.cc:5096:16
#10 0x577c209ac81c in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:1869:39
#11 0x577c2099a55c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:5360:21
#12 0x577c209995a0 in handle_select(THD, LEX, select_result*, unsigned long long) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_select.cc:634:10
#13 0x577c20d0be1a in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_table.cc:13812:20
#14 0x577c20858049 in mysql_execute_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:5865:26
#15 0x577c2083a180 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:7893:18
#16 0x577c208314d6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1881:7
#17 0x577c2083c446 in do_command(THD*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_parse.cc:1420:17
#18 0x577c20f9417c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#19 0x577c20f939d6 in handle_one_connection /test/bb-12.0-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#20 0x577c1f711c0c in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x577c1f6f9a95 in pthread_create (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x2835a95) (BuildId: aa0e62209f3572e8)
#1 0x577c1f764d01 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x577c1f765eea in handle_connections_sockets() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x577c1f764050 in run_main_loop() /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x577c1f75b42b in mysqld_main(int, char**) /test/bb-12.0-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x781170e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x781170e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x577c1f6792d4 in _start (/test/MDEV-35915_UBASAN_MD040825-mariadb-12.0.1-linux-x86_64-opt/bin/mariadbd+0x27b52d4) (BuildId: aa0e62209f3572e8)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.0-nikita-global-tmp_opt_san/sql/lock.cc:788:19 in unlock_external(THD, TABLE*, unsigned int)
Shadow bytes around the buggy address:
0x519000053780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x519000053a00: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x519000053a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053b80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x519000053c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x519000053c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1900085==ABORTING

The same stacks/assert are present on CS 12.0 opt/dbg. InnoDB is affected, however MyISAM is not.

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2025-08-06 01:33

Updated:: Yesterday 15:17

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.