[MDEV-37395] SIGSEGV on CREATE TABLE ... SELECT where source table is a GTT - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Temporary, Optimizer
Labels:

Bug Category:
Not for Release Notes

Description

CREATE GLOBAL TEMPORARY TABLE t1 (c INT);

CREATE TABLE t2 SELECT * FROM t1;

Leads to:

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Optimized, Clang) Build 31/07/2025
Core was generated by `/test/MDEV-35915_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd --no-'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 handler::keyread_enabled (this=0x0, this@entry=0x70f94801c550)at /test/11.8-enterprise-global-tmp_opt/sql/handler.h:3604
3604 inline bool keyread_enabled() { return keyread < MAX_KEY; }
[Current thread is 1 (LWP 82968)]
(gdb) bt
#0 handler::keyread_enabled (this=0x0, this@entry=0x70f94801c550)at /test/11.8-enterprise-global-tmp_opt/sql/handler.h:3604
#1 handler::ha_end_keyread (this=0x0, this@entry=0x70f94801c550)at /test/11.8-enterprise-global-tmp_opt/sql/handler.h:3613
#2 st_join_table::cleanup (this=this@entry=0x70f94801c550)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:16554
#3 0x00005bf24e63726e in JOIN::cleanup (this=0x70f94801a1b0, full=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:17107
#4 0x00005bf24e636bd7 in JOIN::destroy (this=0x0)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:5106
#5 0x00005bf24e6cc585 in st_select_lex::cleanup (this=0x70f948017dd8)at /test/11.8-enterprise-global-tmp_opt/sql/sql_union.cc:2944
#6 0x00005bf24e61bd11 in mysql_select (thd=thd@entry=0x70f948000c68, tables=<optimized out>, fields=@0x70f9480180b0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x70f9480183e0, last = 0x70f9480183e0, elements = 1}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x70f94801a070, unit=0x70f948004fc8, select_lex=0x70f948017dd8)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:5411
#7 0x00005bf24e61b8b9 in handle_select (thd=thd@entry=0x70f948000c68, lex=lex@entry=0x70f948004ee8, result=result@entry=0x70f94801a070, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.8-enterprise-global-tmp_opt/sql/sql_select.cc:633
#8 0x00005bf24e6bb89b in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x70f948000c68)at /test/11.8-enterprise-global-tmp_opt/sql/sql_table.cc:13777
#9 0x00005bf24e5e090e in mysql_execute_command (thd=thd@entry=0x70f948000c68, is_called_from_prepared_stmt=false)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:5898
#10 0x00005bf24e5dbf51 in mysql_parse (thd=thd@entry=0x70f948000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x70fa70168420)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:7947
#11 0x00005bf24e5da3c4 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x70f948000c68, packet=packet@entry=0x70f9480088f9 "CREATE TABLE t2 SELECT * FROM t1", packet_length=packet_length@entry=32, blocking=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:1913
#12 0x00005bf24e5dc361 in do_command (thd=thd@entry=0x70f948000c68, blocking=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_parse.cc:1426
#13 0x00005bf24e731a9d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5bf2504cb398, put_in_cache=true)at /test/11.8-enterprise-global-tmp_opt/sql/sql_connect.cc:1415
#14 0x00005bf24e73185f in handle_one_connection (arg=arg@entry=0x5bf2504cb398)at /test/11.8-enterprise-global-tmp_opt/sql/sql_connect.cc:1327
#15 0x00005bf24e8e9c09 in pfs_spawn_thread (arg=0x5bf25046ad68)at /test/11.8-enterprise-global-tmp_opt/storage/perfschema/pfs.cc:2198
#16 0x000070fa72a9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#17 0x000070fa72b29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915 ES 11.8.3-1 267fc98bf48033db5cf8b3bbffd9d3aea4e9ea8e (Optimized, UBASAN, Clang) Build 31/07/2025
==97958==ERROR: AddressSanitizer: heap-use-after-free on address 0x5190000537a0 at pc 0x5aa42e5bec1e bp 0x7bb6e4500320 sp 0x7bb6e4500318
READ of size 8 at 0x5190000537a0 thread T12
#0 0x5aa42e5bec1d in st_join_table::cleanup() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:16554:12
#1 0x5aa42e5769ca in JOIN::cleanup(bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:17107:16
#2 0x5aa42e576115 in JOIN::destroy() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:5106:3
#3 0x5aa42e8beb84 in st_select_lex::cleanup() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_union.cc:2944:18
#4 0x5aa42e4ea79d in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:5411:29
#5 0x5aa42e4e8b80 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:633:10
#6 0x5aa42e85a37a in Sql_cmd_create_table_like::execute(THD*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:13777:20
#7 0x5aa42e3a7119 in mysql_execute_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:5898:26
#8 0x5aa42e385650 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:7947:18
#9 0x5aa42e37c99d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1913:7
#10 0x5aa42e387a92 in do_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1426:17
#11 0x5aa42eae239c in do_handle_one_connection(CONNECT*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1415:11
#12 0x5aa42eae1bf6 in handle_one_connection /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1327:5
#13 0x5aa42d2a5ccc in asan_thread_start(void*) crtstuff.c
#14 0x7bb7d209ca93 in start_thread nptl/pthread_create.c:447:8
#15 0x7bb7d2129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5190000537a0 is located 32 bytes inside of 1064-byte region [0x519000053780,0x519000053ba8)
freed by thread T12 here:
#0 0x5aa42d2a7f4a in free (/test/MDEV-35915_UBASAN_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd+0x2814f4a) (BuildId: 2bff5956b5eade4a)
#1 0x5aa42ef3bfe4 in THD::close_temporary_table(TABLE*) /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:1364:3
#2 0x5aa42ef3bfe4 in THD::free_temporary_table(TABLE*) /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:1648:3
#3 0x5aa42ef3ee86 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:749:5
#4 0x5aa42ef40e9e in THD::commit_global_tmp_tables() /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:1389:28
#5 0x5aa42d3b95f5 in commit_one_phase_2(THD, bool, THD_TRANS, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/handler.cc:2239:17
#6 0x5aa42d3b7ae1 in ha_commit_trans(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/handler.cc:1973:12
#7 0x5aa42eb41b57 in trans_commit_stmt(THD*) /test/11.8-enterprise-global-tmp_opt_san/sql/transaction.cc:496:10
#8 0x5aa42e288529 in select_create::send_eof() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_insert.cc:5413:9
#9 0x5aa42e575688 in do_select(JOIN, Procedure) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:23855:9
#10 0x5aa42e571a36 in JOIN::exec_inner() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:5076:50
#11 0x5aa42e56e760 in JOIN::exec() /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:4859:8
#12 0x5aa42e4ea446 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:5392:21
#13 0x5aa42e4e8b80 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:633:10
#14 0x5aa42e85a37a in Sql_cmd_create_table_like::execute(THD*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:13777:20
#15 0x5aa42e3a7119 in mysql_execute_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:5898:26
#16 0x5aa42e385650 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:7947:18
#17 0x5aa42e37c99d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1913:7
#18 0x5aa42e387a92 in do_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1426:17
#19 0x5aa42eae239c in do_handle_one_connection(CONNECT*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1415:11
#20 0x5aa42eae1bf6 in handle_one_connection /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1327:5
#21 0x5aa42d2a5ccc in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x5aa42d2a81e3 in malloc (/test/MDEV-35915_UBASAN_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd+0x28151e3) (BuildId: 2bff5956b5eade4a)
#1 0x5aa42fe6b932 in my_malloc /test/11.8-enterprise-global-tmp_opt_san/mysys/my_malloc.c:93:29
#2 0x5aa42ef34754 in THD::open_temporary_table(TMP_TABLE_SHARE*, Lex_ident_table const&) /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:1228:26
#3 0x5aa42ef336f1 in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string, char const, Lex_ident_db const&, Lex_ident_table const&, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/temporary_tables.cc:89:12
#4 0x5aa42e801193 in create_table_impl(THD, st_ddl_log_state, st_ddl_log_state, Lex_ident_db const&, Lex_ident_table const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, DDL_options_st, HA_CREATE_INFO, Alter_info, int, bool, st_key*, unsigned int, st_mysql_const_unsigned_lex_string*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:4945:24
#5 0x5aa42e7fe9cd in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:5033:8
#6 0x5aa42e80565a in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:6174:14
#7 0x5aa42df15ee0 in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_base.cc:2329:22
#8 0x5aa42df22c70 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_base.cc:4284:14
#9 0x5aa42df22c70 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_base.cc:4773:14
#10 0x5aa42df2d168 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_base.cc:5744:7
#11 0x5aa42e8595ba in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_base.h:541:10
#12 0x5aa42e8595ba in Sql_cmd_create_table_like::execute(THD*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_table.cc:13724:10
#13 0x5aa42e3a7119 in mysql_execute_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:5898:26
#14 0x5aa42e385650 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:7947:18
#15 0x5aa42e37c99d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1913:7
#16 0x5aa42e387a92 in do_command(THD*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_parse.cc:1426:17
#17 0x5aa42eae239c in do_handle_one_connection(CONNECT*, bool) /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1415:11
#18 0x5aa42eae1bf6 in handle_one_connection /test/11.8-enterprise-global-tmp_opt_san/sql/sql_connect.cc:1327:5
#19 0x5aa42d2a5ccc in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x5aa42d28db55 in pthread_create (/test/MDEV-35915_UBASAN_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd+0x27fab55) (BuildId: 2bff5956b5eade4a)
#1 0x5aa42d2f8ca1 in create_thread_to_handle_connection(CONNECT*) /test/11.8-enterprise-global-tmp_opt_san/sql/mysqld.cc:6289:19
#2 0x5aa42d2f9e8a in handle_connections_sockets() /test/11.8-enterprise-global-tmp_opt_san/sql/mysqld.cc:6525:9
#3 0x5aa42d2f7ff0 in run_main_loop() /test/11.8-enterprise-global-tmp_opt_san/sql/mysqld.cc:5756:3
#4 0x5aa42d2ef28f in mysqld_main(int, char**) /test/11.8-enterprise-global-tmp_opt_san/sql/mysqld.cc:6190:3
#5 0x7bb7d202a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7bb7d202a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5aa42d20d394 in _start (/test/MDEV-35915_UBASAN_EMD310725-mariadb-11.8.3-1-linux-x86_64-opt/bin/mariadbd+0x277a394) (BuildId: 2bff5956b5eade4a)

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.8-enterprise-global-tmp_opt_san/sql/sql_select.cc:16554:12 in st_join_table::cleanup()
Shadow bytes around the buggy address:
0x519000053500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x519000053700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x519000053780: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x519000053800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x519000053a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==97958==ABORTING

Same stacks/ASAN on ES 11.8 dbg, and CS 12.0 dbg/opt.

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-08-06 01:53

Updated:: 1 hour ago

Resolved:: 2025-09-12 05:03

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.