[MDEV-37681] SIGSEGV on TRUNCATE GTT after failed RENAME under LOCK TABLE - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Temporary, Locking
Labels:

Bug Category:
Not for Release Notes
Sprint:
Q4/2025 Server Maintenance

Description

Looks to be an additional unresolved codepath of ~~MDEV-37579~~:

CREATE GLOBAL TEMPORARY TABLE t (c INT) ON COMMIT PRESERVE ROWS;

LOCK TABLE t WRITE;

SELECT * FROM t;

ALTER TABLE t RENAME a.t;   # ERROR 1025 (HY000): Error on rename of './test/t' to './a/t' (errno: 168 "Unknown (generic) error from engine")

TRUNCATE t;

Leads to:

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, Clang 21.1.0-20250811) Build 16/09/2025
Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ilist<MDL_ticket, void>::erase (this=0x7a9e1c021888, pos=...)at /test/bb-12.2-nikita-global-tmp_opt/include/ilist.h:193

[Current thread is 1 (LWP 2621951)]
(gdb) bt
#0 ilist<MDL_ticket, void>::erase (this=0x7a9e1c021888, pos={node_ = 0x7a9e1c017188})at /test/bb-12.2-nikita-global-tmp_opt/include/ilist.h:193
#1 ilist<MDL_ticket, void>::remove (this=0x7a9e1c021888, value=@0x7a9e1c017180: {<MDL_wait_for_subgraph> = {_vptr$MDL_wait_for_subgraph = 0x7a99b5e3ba37, static _vtable$ = <optimized out>}, <ilist_node<void>> = {next = 0xa9cf6d18b93d2240, prev = 0x7a9e1c021888}, next_in_context = 0x7a9e1c0172a0, prev_in_context = 0x7a9e1c000ef8, m_time = 0, m_fast_lane = std::atomic<void *> = { 0x0 }, m_type = MDL_SHARED, m_ctx = 0x7a9e1c000e78, m_lock = 0x7a9e1c021688, m_psi = 0x0, static _vtable$ = <optimized out>})at /test/bb-12.2-nikita-global-tmp_opt/include/ilist.h:212
#2 MDL_lock::Ticket_list::remove_ticket (this=0x7a9e1c021888, ticket=0x7a9e1c017180)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1955
#3 MDL_lock::remove_ticket (this=this@entry=0x7a9e1c021688, pins=pins@entry=0x5aa5d52fc058, list=list@entry=&MDL_lock::m_granted, ticket=ticket@entry=0x7a9e1c017180)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:2496
#4 0x00005aa5d269cfa7 in MDL_lock::release (this=0x7a9e1c021688, pins=0x5aa5d52fc058, ticket=0x7a9e1c017180)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:1420
#5 MDL_context::release_lock (this=<optimized out>, duration=<optimized out>, ticket=0x7a9e1c017180)at /test/bb-12.2-nikita-global-tmp_opt/sql/mdl.cc:3495
#6 0x00005aa5d277eff9 in THD::free_tmp_table_share (this=this@entry=0x7a9e1c000c68, share=share@entry=0x7a9e1c02e3c8, delete_table=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:1764
#7 0x00005aa5d2781725 in THD::drop_tmp_table_share (this=0x7a9e1c000c68, table=<optimized out>, share=0x7a9e1c02e3c8, delete_table=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/temporary_tables.cc:820
#8 0x00005aa5d26c97f1 in Sql_cmd_truncate_table::truncate_table (this=this@entry=0x7a9e1c017e70, thd=thd@entry=0x7a9e1c000c68, table_ref=table_ref@entry=0x7a9e1c017738)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_truncate.cc:484
#9 0x00005aa5d26c9b28 in Sql_cmd_truncate_table::execute (this=0x7a9e1c017e70, thd=0x7a9e1c000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_truncate.cc:616
#10 0x00005aa5d253fb7c in mysql_execute_command (thd=thd@entry=0x7a9e1c000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5861
#11 0x00005aa5d253ae24 in mysql_parse (thd=thd@entry=0x7a9e1c000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7a9f48f4c420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7894
#12 0x00005aa5d25395cd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7a9e1c000c68, packet=packet@entry=0x7a9e1c0089f9 "TRUNCATE t", packet_length=packet_length@entry=10, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1882
#13 0x00005aa5d253b2a1 in do_command (thd=thd@entry=0x7a9e1c000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1421
#14 0x00005aa5d26914fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5aa5d550bc48, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
#15 0x00005aa5d26912bf in handle_one_connection (arg=arg@entry=0x5aa5d550bc48)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
#16 0x00005aa5d2855d59 in pfs_spawn_thread (arg=0x5aa5d54bb948)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
#17 0x00007a9f4bc9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x00007a9f4bd29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, Clang 21.1.0-20250811) Build 16/09/2025
Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000578911bf456f in ilist<MDL_ticket, void>::erase (this=0x707c1c02d0e0, pos=...) at /test/bb-12.2-nikita-global-tmp_dbg/include/ilist.h:192

[Current thread is 1 (LWP 2621520)]
(gdb) bt
#0 0x0000578911bf456f in ilist<MDL_ticket, void>::erase (this=0x707c1c02d0e0, pos={node_ = 0x707c1c03cf68})at /test/bb-12.2-nikita-global-tmp_dbg/include/ilist.h:192
#1 0x0000578911bf1df2 in ilist<MDL_ticket, void>::remove (this=0x707c1c02d0e0, value=@0x707c1c03cf60: {<MDL_wait_for_subgraph> = {_vptr$MDL_wait_for_subgraph = 0x707b1bc3455c, static _vtable$ = <optimized out>}, <ilist_node<void>> = {next = 0xc73f996609bfa569, prev = 0x0}, next_in_context = 0x707c1c019780, prev_in_context = 0x707c1c001070, m_duration = MDL_EXPLICIT, m_time = 0, m_fast_lane = std::atomic<void *> = { 0x0 }, m_type = MDL_SHARED, m_ctx = 0x707c1c000f70, m_lock = 0x707c1c02ced8, m_psi = 0x0, static _vtable$ = <optimized out>})at /test/bb-12.2-nikita-global-tmp_dbg/include/ilist.h:212
#2 0x0000578911beda21 in MDL_lock::Ticket_list::remove_ticket (this=0x707c1c02d0e0, ticket=0x707c1c03cf60)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:1955
#3 0x0000578911bee134 in MDL_lock::remove_ticket (this=0x707c1c02ced8, pins=0x5789156fe848, list=&MDL_lock::m_granted, ticket=0x707c1c03cf60)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:2496
#4 0x0000578911bf285b in MDL_lock::release (this=0x707c1c02ced8, pins=0x5789156fe848, ticket=0x707c1c03cf60)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:1420
#5 0x0000578911bf006f in MDL_context::release_lock (this=0x707c1c000f70, duration=MDL_EXPLICIT, ticket=0x707c1c03cf60)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3495
#6 0x0000578911bf013c in MDL_context::release_lock (this=0x707c1c000f70, ticket=0x707c1c03cf60)at /test/bb-12.2-nikita-global-tmp_dbg/sql/mdl.cc:3515
#7 0x0000578911d31698 in THD::free_tmp_table_share (this=0x707c1c000d58, share=0x707c1c039518, delete_table=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:1764
#8 0x0000578911d33bb5 in THD::drop_tmp_table_share (this=0x707c1c000d58, table=0x0, share=0x707c1c039518, delete_table=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/temporary_tables.cc:820
#9 0x0000578911c2ea0a in Sql_cmd_truncate_table::truncate_table (this=0x707c1c01a670, thd=0x707c1c000d58, table_ref=0x707c1c019f38)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_truncate.cc:484
#10 0x0000578911c2ee67 in Sql_cmd_truncate_table::execute (this=0x707c1c01a670, thd=0x707c1c000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_truncate.cc:616
#11 0x00005789119f9be5 in mysql_execute_command (thd=0x707c1c000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5861
#12 0x00005789119eaea8 in mysql_parse (thd=0x707c1c000d58, rawbuf=0x707c1c019e80 "TRUNCATE t", length=10, parser_state=0x707d486e6a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7894
#13 0x00005789119e8689 in dispatch_command (command=COM_QUERY, thd=0x707c1c000d58, packet=0x707c1c00b1f9 "TRUNCATE t", packet_length=10, blocking=true) at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
#14 0x00005789119eb92a in do_command (thd=0x707c1c000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
#15 0x0000578911bde1ce in do_handle_one_connection (connect=0x57891599e358, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#16 0x0000578911bddfb1 in handle_one_connection (arg=0x5789159af3f8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#17 0x0000707d4b89ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x0000707d4b929c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025
==2629684==ERROR: AddressSanitizer: heap-use-after-free on address 0x74867422c768 at pc 0x5a549b64c52e bp 0x7405879004b0 sp 0x7405879004a8
READ of size 8 at 0x74867422c768 thread T12
#0 0x5a549b64c52d in MDL_context::release_lock(enum_mdl_duration, MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3486:27
#1 0x5a549ba7241e in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:1764:19
#2 0x5a549ba7a898 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/temporary_tables.cc:820:11
#3 0x5a549b6d3b5d in Sql_cmd_truncate_table::truncate_table(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_truncate.cc:484:17
#4 0x5a549b6d4ffc in Sql_cmd_truncate_table::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_truncate.cc:616:15
#5 0x5a549adfefff in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
#6 0x5a549ade2705 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
#7 0x5a549adda8c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#8 0x5a549ade4640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#9 0x5a549b60f19c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#10 0x5a549b60ecb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#11 0x5a5499dc3d9a in asan_thread_start(void*) crtstuff.c
#12 0x78067529ca93 in start_thread nptl/pthread_create.c:447:8
#13 0x780675329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x74867422c768 is located 72 bytes inside of 88-byte region [0x74867422c720,0x74867422c778)
freed by thread T12 here:
#0 0x5a5499e0b326 in operator delete(void*, unsigned long) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x3012326) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
#1 0x5a549b64c8f3 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3573:7
#2 0x5a549b330a88 in simple_rename_or_index_change(THD, TABLE_LIST, Alter_info::enum_enable_or_disable, TRIGGER_RENAME_PARAM, Alter_table_ctx) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:10537:24
#3 0x5a549b312ce6 in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:11516:12
#4 0x5a549b63b341 in Sql_cmd_alter_table::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_alter.cc:695:11
#5 0x5a549adfefff in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
#6 0x5a549ade2705 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
#7 0x5a549adda8c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#8 0x5a549ade4640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#9 0x5a549b60f19c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#10 0x5a549b60ecb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#11 0x5a5499dc3d9a in asan_thread_start(void*) crtstuff.c

previously allocated by thread T12 here:
#0 0x5a5499e0a8e1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x30118e1) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
#1 0x5a549b647cdf in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:2798:17
#2 0x5a549b2edaa4 in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:6318:26
#3 0x5a549a8faa6e in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:2351:22
#4 0x5a549a90d164 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4308:14
#5 0x5a549a90d164 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:4791:14
#6 0x5a549a91b505 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.cc:5779:7
#7 0x5a549a3ca653 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_base.h:544:10
#8 0x5a549ae1b57a in execute_sqlcom_select(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:6092:14
#9 0x5a549adff1d3 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:3954:12
#10 0x5a549ade2705 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
#11 0x5a549adda8c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#12 0x5a549ade4640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#13 0x5a549b60f19c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#14 0x5a549b60ecb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#15 0x5a5499dc3d9a in asan_thread_start(void*) crtstuff.c

Thread T12 created by T0 here:
#0 0x5a5499daa495 in pthread_create (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2fb1495) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)
#1 0x5a5499e1cac9 in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6272:19
#2 0x5a5499e1de0a in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6508:9
#3 0x5a5499e1c210 in run_main_loop() /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:5750:3
#4 0x5a5499e12d4e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_opt_san/sql/mysqld.cc:6173:3
#5 0x78067522a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x78067522a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5a5499d20da4 in _start (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd+0x2f27da4) (BuildId: fb2272293490eb4652cbe0b2d35631589d7e94fa)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_opt_san/sql/mdl.cc:3486:27 in MDL_context::release_lock(enum_mdl_duration, MDL_ticket*)
Shadow bytes around the buggy address:
0x74867422c480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x74867422c500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x74867422c580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x74867422c600: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x74867422c680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x74867422c700: fa fa fa fa fd fd fd fd fd fd fd fd fd[fd]fd fa
0x74867422c780: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x74867422c800: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x74867422c880: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x74867422c900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x74867422c980: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2629684==ABORTING

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025
==2629683==ERROR: AddressSanitizer: heap-use-after-free on address 0x72273062c748 at pc 0x60773c16add7 bp 0x71a62ad00360 sp 0x71a62ad00358
READ of size 4 at 0x72273062c748 thread T13
#0 0x60773c16add6 in MDL_context::release_lock(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3513:3
#1 0x60773c59fc84 in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:1764:19
#2 0x60773c5a8509 in THD::drop_tmp_table_share(TABLE, TMP_TABLE_SHARE, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/temporary_tables.cc:820:11
#3 0x60773c1f5e74 in Sql_cmd_truncate_table::truncate_table(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_truncate.cc:484:17
#4 0x60773c1f745c in Sql_cmd_truncate_table::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_truncate.cc:616:15
#5 0x60773b93f3c7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
#6 0x60773b922518 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
#7 0x60773b91bcdc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#8 0x60773b92494a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#9 0x60773c12981c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#10 0x60773c129325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#11 0x60773a8e2d6a in asan_thread_start(void*) crtstuff.c
#12 0x75a73189ca93 in start_thread nptl/pthread_create.c:447:8
#13 0x75a731929c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x72273062c748 is located 40 bytes inside of 96-byte region [0x72273062c720,0x72273062c780)
freed by thread T13 here:
#0 0x60773a92a2f6 in operator delete(void*, unsigned long) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdd2f6) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
#1 0x60773c16b208 in MDL_context::release_all_locks_for_name(MDL_ticket*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3573:7
#2 0x60773be4a0fc in simple_rename_or_index_change(THD, TABLE_LIST, Alter_info::enum_enable_or_disable, TRIGGER_RENAME_PARAM, Alter_table_ctx) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:10537:24
#3 0x60773be340bd in mysql_alter_table(THD, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, TABLE_LIST, Recreate_info, Alter_info, unsigned int, st_order, bool, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:11516:12
#4 0x60773c155cae in Sql_cmd_alter_table::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_alter.cc:695:11
#5 0x60773b93f3c7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
#6 0x60773b922518 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
#7 0x60773b91bcdc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#8 0x60773b92494a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#9 0x60773c12981c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#10 0x60773c129325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#11 0x60773a8e2d6a in asan_thread_start(void*) crtstuff.c

previously allocated by thread T13 here:
#0 0x60773a9298b1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdc8b1) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
#1 0x60773c16528f in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
#2 0x60773be0dec9 in open_global_temporary_table(THD, TABLE_SHARE, TABLE_LIST, MDL_ticket) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:6318:26
#3 0x60773b439cb2 in open_table(THD, TABLE_LIST, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:2351:22
#4 0x60773b44cf15 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4308:14
#5 0x60773b44cf15 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4791:14
#6 0x60773b45d191 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:5779:7
#7 0x60773af26fb4 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:544:10
#8 0x60773b95d503 in execute_sqlcom_select(THD, TABLE_LIST) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:6092:14
#9 0x60773b948e78 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:3954:12
#10 0x60773b922518 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
#11 0x60773b91bcdc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#12 0x60773b92494a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#13 0x60773c12981c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#14 0x60773c129325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#15 0x60773a8e2d6a in asan_thread_start(void*) crtstuff.c

Thread T13 created by T0 here:
#0 0x60773a8c9465 in pthread_create (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7c465) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
#1 0x60773a93cdbc in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
#2 0x60773a93de45 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
#3 0x60773a93c3ca in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
#4 0x60773a931d7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
#5 0x75a73182a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x75a73182a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x60773a83fd74 in _start (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af2d74) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)

SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3513:3 in MDL_context::release_lock(MDL_ticket*)
Shadow bytes around the buggy address:
0x72273062c480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x72273062c500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x72273062c580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x72273062c600: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x72273062c680: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x72273062c700: fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd fd fd
0x72273062c780: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x72273062c800: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x72273062c880: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x72273062c900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x72273062c980: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2629683==ABORTING

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-09-18 04:57

Updated:: Yesterday 00:08

Resolved:: 3 days ago 03:35

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.