Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37668

SIGSEGV on DROP TABLE GTT under LOCK TABLES and different server_id

    XMLWordPrintable

Details

    • Not for Release Notes
    • Q4/2025 Server Maintenance

    Description

      --source include/have_binlog_format_row.inc
      		 
      CREATE GLOBAL TEMPORARY TABLE t (x INT) ON COMMIT PRESERVE ROWS AS SELECT 1 'a';
      		 
      CREATE GLOBAL TEMPORARY TABLE t2 (x INT KEY) ON COMMIT PRESERVE ROWS;
      		 
      SET SESSION server_id=10;
      		 
      LOCK TABLES t2 AS a1 WRITE,t AS a5 WRITE;
      		 
      DROP TABLE t;

      Leads to:

      MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, Clang 21.1.0-20250811) Build 16/09/2025

      		 
      Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x000060999f644e2b in MDL_lock::reschedule_waiters (this=this@entry=0x6099a26f35c8)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1981
      		 
       
      		 
      [Current thread is 1 (LWP 698407)]
      		 
      (gdb) bt
      		 
      #0  0x000060999f644e2b in MDL_lock::reschedule_waiters (this=this@entry=0x6099a26f35c8)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1981
      		 
      #1  0x000060999f645458 in MDL_lock::remove_ticket (this=this@entry=0x6099a26f35c8, pins=pins@entry=0x6099a2568230, list=list@entry=&MDL_lock::m_granted, ticket=ticket@entry=0x7181e80172f0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2524
      		 
      #2  0x000060999f646fa7 in MDL_lock::release (this=0x6099a26f35c8, pins=0x6099a2568230, ticket=0x7181e80172f0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1420
      		 
      #3  MDL_context::release_lock (this=<optimized out>, duration=<optimized out>, ticket=0x7181e80172f0)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3495
      		 
      #4  0x000060999f728ff9 in THD::free_tmp_table_share (this=this@entry=0x7181e8000c68, share=share@entry=0x7181e8029658, delete_table=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:1764
      		 
      #5  0x000060999f72b100 in THD::log_events_and_free_tmp_shares (this=this@entry=0x7181e8000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:1671
      		 
      #6  0x000060999f72aa2f in THD::close_temporary_tables (this=0x7181e8000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:676
      		 
      #7  0x000060999f42bf2f in THD::cleanup (this=0x7181e8000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_class.cc:1692
      		 
      #8  0x000060999f1ef41e in unlink_thd (thd=0x0, thd@entry=0x7181e8000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/mysqld.cc:2868
      		 
      #9  0x000060999f63b57d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x6099a278d6b8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1425
      		 
      #10 0x000060999f63b2bf in handle_one_connection (arg=arg@entry=0x6099a278d6b8)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
      		 
      #11 0x000060999f7ffd59 in pfs_spawn_thread (arg=0x6099a273d538)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
      		 
      #12 0x000071831e69ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #13 0x000071831e729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, Clang 21.1.0-20250811) Build 16/09/2025

      		 
      mariadbd: /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3781: void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration): Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed.

      MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, Clang 21.1.0-20250811) Build 16/09/2025

      		 
      Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-d'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
       
      		 
      [Current thread is 1 (LWP 698811)]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
      		 
      #1  __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
      		 
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
      		 
      #3  0x00007fe2baa4526e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
      		 
      #4  0x00007fe2baa288ff in __GI_abort () at ./stdlib/abort.c:79
      		 
      #5  0x00007fe2baa2881b in __assert_fail_base (fmt=0x7fe2babd01e8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x61b05b439f1e "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=file@entry=0x61b05b30fd53 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=line@entry=3781, function=function@entry=0x61b05b33aecf "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:94
      		 
      #6  0x00007fe2baa3b507 in __assert_fail (assertion=0x61b05b439f1e "mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION", file=0x61b05b30fd53 "/test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc", line=3781, function=0x61b05b33aecf "void MDL_context::set_lock_duration(MDL_ticket *, enum_mdl_duration)") at ./assert/assert.c:103
      		 
      #7  0x000061b05c1e4862 in MDL_context::set_lock_duration (this=0x7fe1a8000f70, mdl_ticket=0x7fe1a802e480, duration=MDL_EXPLICIT)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3780
      		 
      #8  0x000061b05c32634a in THD::global_tmp_tables_set_explicit_lock_duration (this=0x7fe1a8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:377
      		 
      #9  0x000061b05beb7404 in THD::leave_locked_tables_mode (this=0x7fe1a8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_class.cc:6569
      		 
      #10 0x000061b05be8748e in Locked_tables_list::unlock_locked_tables (this=0x7fe1a8004f68, thd=0x7fe1a8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_base.cc:2762
      		 
      #11 0x000061b05bea97a7 in THD::cleanup (this=0x7fe1a8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_class.cc:1689
      		 
      #12 0x000061b05bb49d07 in unlink_thd (thd=0x7fe1a8000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mysqld.cc:2868
      		 
      #13 0x000061b05c1d222c in do_handle_one_connection (connect=0x61b05e1651e8, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1425
      		 
      #14 0x000061b05c1d1fb1 in handle_one_connection (arg=0x61b05e16db48)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
      		 
      #15 0x00007fe2baa9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
      		 
      #16 0x00007fe2bab29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

      MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025

      		 
      ==2937349==ERROR: AddressSanitizer: heap-use-after-free on address 0x796ed0c304b8 at pc 0x60a73e534c23 bp 0x78ede2700a30 sp 0x78ede2700a28
      		 
      READ of size 8 at 0x796ed0c304b8 thread T13
      		 
          #0 0x60a73e534c22 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14
      		 
          #1 0x60a73e53124d in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3783:30
      		 
          #2 0x60a73e9599c3 in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:377:17
      		 
          #3 0x60a73d8a1475 in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_class.cc:6569:7
      		 
          #4 0x60a73d7e48a1 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2762:8
      		 
          #5 0x60a73d86d1f4 in THD::cleanup() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_class.cc:1689:22
      		 
          #6 0x60a73ccf3e4d in unlink_thd(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:2868:8
      		 
          #7 0x60a73e4f33b8 in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1425:5
      		 
          #8 0x60a73e4f2cb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #9 0x60a73cca7d9a in asan_thread_start(void*) crtstuff.c
      		 
          #10 0x7ceed1e9ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #11 0x7ceed1f29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x796ed0c304b8 is located 24 bytes inside of 88-byte region [0x796ed0c304a0,0x796ed0c304f8)
      		 
      freed by thread T13 here:
      		 
          #0 0x60a73ccef326 in operator delete(void*, unsigned long) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3012326) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
      		 
          #1 0x60a73e5308f3 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3573:7
      		 
          #2 0x60a73e1abeff in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:2059:28
      		 
          #3 0x60a73e1a59f5 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:1265:10
      		 
          #4 0x60a73dceb925 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:4772:10
      		 
          #5 0x60a73dcc6705 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #6 0x60a73dcbe8c8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #7 0x60a73dcc8640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #8 0x60a73e4f319c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #9 0x60a73e4f2cb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #10 0x60a73cca7d9a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T13 here:
      		 
          #0 0x60a73ccee8e1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x30118e1) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
      		 
          #1 0x60a73e52bcdf in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:2798:17
      		 
          #2 0x60a73e1d1aa4 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6318:26
      		 
          #3 0x60a73d7dea6e in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2351:22
      		 
          #4 0x60a73dbbbda3 in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_insert.cc:4943:11
      		 
          #5 0x60a73dbbed3c in select_create::prepare(List<Item>&, st_select_lex_unit*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_insert.cc:5102:16
      		 
          #6 0x60a73de624d9 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:1886:39
      		 
          #7 0x60a73de4c6ad in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:5377:21
      		 
          #8 0x60a73de4b235 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:634:10
      		 
          #9 0x60a73e2409bd in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:13960:20
      		 
          #10 0x60a73dce2fff in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
      		 
          #11 0x60a73dcc6705 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
      		 
          #12 0x60a73dcbe8c8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
      		 
          #13 0x60a73dcc8640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
      		 
          #14 0x60a73e4f319c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
      		 
          #15 0x60a73e4f2cb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
      		 
          #16 0x60a73cca7d9a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T13 created by T0 here:
      		 
          #0 0x60a73cc8e495 in pthread_create (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb1495) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
      		 
          #1 0x60a73cd00ac9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
      		 
          #2 0x60a73cd01e0a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
      		 
          #3 0x60a73cd00210 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
      		 
          #4 0x60a73ccf6d4e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
      		 
          #5 0x7ceed1e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x7ceed1e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x60a73cc04da4 in _start (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f27da4) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_plist.h:124:14 in I_P_List<MDL_ticket, I_P_List_adapter<MDL_ticket, &MDL_ticket::next_in_context, &MDL_ticket::prev_in_context>, I_P_List_null_counter, I_P_List_no_push_back<MDL_ticket>>::remove(MDL_ticket*)
      		 
      Shadow bytes around the buggy address:
      		 
        0x796ed0c30200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30380: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30400: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
      =>0x796ed0c30480: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x796ed0c30580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
        0x796ed0c30700: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2937349==ABORTING

      MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025

      		 
      ==2993284==ERROR: AddressSanitizer: heap-use-after-free on address 0x76384a0304c8 at pc 0x5f47639d37f8 bp 0x75b7e75008e0 sp 0x75b7e75008d8
      		 
      READ of size 4 at 0x76384a0304c8 thread T11
      		 
          #0 0x5f47639d37f7 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3
      		 
          #1 0x5f4763e0a3df in THD::global_tmp_tables_set_explicit_lock_duration() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:377:17
      		 
          #2 0x5f4762d6cbef in THD::leave_locked_tables_mode() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:6569:7
      		 
          #3 0x5f4762ca69e8 in Locked_tables_list::unlock_locked_tables(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2762:8
      		 
          #4 0x5f4762d38f3b in THD::cleanup() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_class.cc:1689:22
      		 
          #5 0x5f4762195d4d in unlink_thd(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:2868:8
      		 
          #6 0x5f47639908c1 in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1425:5
      		 
          #7 0x5f4763990325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #8 0x5f4762149d6a in asan_thread_start(void*) crtstuff.c
      		 
          #9 0x79b84b29ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #10 0x79b84b329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x76384a0304c8 is located 40 bytes inside of 96-byte region [0x76384a0304a0,0x76384a030500)
      		 
      freed by thread T11 here:
      		 
          #0 0x5f47621912f6 in operator delete(void*, unsigned long) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdd2f6) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
      		 
          #1 0x5f47639d2208 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3573:7
      		 
          #2 0x5f476364ebdf in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:2059:28
      		 
          #3 0x5f47636487c7 in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:1265:10
      		 
          #4 0x5f47631ae05f in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:4772:10
      		 
          #5 0x5f4763189518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #6 0x5f4763182cdc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #7 0x5f476318b94a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #8 0x5f476399081c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #9 0x5f4763990325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #10 0x5f4762149d6a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      previously allocated by thread T11 here:
      		 
          #0 0x5f47621908b1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdc8b1) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
      		 
          #1 0x5f47639cc28f in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
      		 
          #2 0x5f4763674ec9 in open_global_temporary_table(THD*, TABLE_SHARE*, TABLE_LIST*, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6318:26
      		 
          #3 0x5f4762ca0cb2 in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2351:22
      		 
          #4 0x5f476307c1a8 in select_create::create_table_from_items(THD*, List<Item>*, st_mysql_lock**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_insert.cc:4943:11
      		 
          #5 0x5f476307effb in select_create::prepare(List<Item>&, st_select_lex_unit*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_insert.cc:5102:16
      		 
          #6 0x5f4763328182 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:1886:39
      		 
          #7 0x5f4763313358 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:5377:21
      		 
          #8 0x5f4763311c90 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:634:10
      		 
          #9 0x5f47636dbea7 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:13960:20
      		 
          #10 0x5f47631a63c7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
      		 
          #11 0x5f4763189518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
      		 
          #12 0x5f4763182cdc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
      		 
          #13 0x5f476318b94a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
      		 
          #14 0x5f476399081c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
      		 
          #15 0x5f4763990325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
      		 
          #16 0x5f4762149d6a in asan_thread_start(void*) crtstuff.c
      		 
       
      		 
      Thread T11 created by T0 here:
      		 
          #0 0x5f4762130465 in pthread_create (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7c465) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
      		 
          #1 0x5f47621a3dbc in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
      		 
          #2 0x5f47621a4e45 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
      		 
          #3 0x5f47621a33ca in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
      		 
          #4 0x5f4762198d7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
      		 
          #5 0x79b84b22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #6 0x79b84b22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #7 0x5f47620a6d74 in _start (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af2d74) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3780:3 in MDL_context::set_lock_duration(MDL_ticket*, enum_mdl_duration)
      		 
      Shadow bytes around the buggy address:
      		 
        0x76384a030200: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030280: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030300: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030380: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030400: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
      =>0x76384a030480: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
      		 
        0x76384a030500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x76384a030700: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2993284==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-35915 Implement Global temporary tables

          • Critical - Crashes, loss of data, severe memory leak.
          • In Testing

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37673 Changing server_id results in ignoring temporary tables created in the past

          • Major - Major loss of function.
          • In Review
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-37720 SIGSEGV in MDL_lock::reschedule_waiters, Assertion `mdl_ticket->m_duration == MDL_TRANSACTION && duration != MDL_TRANSACTION' failed and ASAN heap-use-after-free in I_P_List and MDL_context::set_lock_duration

          • Blocker - Blocks development and/or testing work, production could not run.
          • In Progress

          Activity

            People

              nikitamalyavin Nikita Malyavin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.