[MDEV-37690] SIGSEGV and UBSAN null-pointer-use in myrocks::Rdb_transaction_impl::prepare on CREATE TABLE ... AS SELECT - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: Data Definition - Create Table, Data Definition - Temporary, Storage Engine - RocksDB
Labels:
None

Bug Category:
Not for Release Notes
Sprint:
Q4/2025 Server Maintenance

Description

While it looks partially related to MDEV-29680, this bug is present only in bb-12.2-nikita-global-tmp at 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52, and not in 12.2 trunk.

# mysqld options required for replay: --log-bin

INSTALL SONAME 'ha_rocksdb';

SET default_storage_engine=RocksDB;

CREATE TABLE t AS SELECT 0 QUERY;

Leads to, in 12.2 trunk:

CS 12.2.0 b8a77289639a3b10ada64cf892f02b5cecdb1603 (Optimized, Clang 21.1.0-20250811) Build 17/09/2025
12.2.0-opt>CREATE TABLE t AS SELECT 0 QUERY;
Query OK, 1 row affected (0.016 sec)
Records: 1 Duplicates: 0 Warnings: 0

However in bb-12.2-nikita-global-tmp v5 we see:

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, Clang 21.1.0-20250811) Build 16/09/2025
Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-opt/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000734f313356fe in myrocks::Rdb_transaction_impl::prepare (this=0x734e88302b80, name=...)at /test/bb-12.2-nikita-global-tmp_opt/storage/rocksdb/ha_rocksdb.cc:3183

[Current thread is 1 (LWP 2353560)]
(gdb) bt
#0 0x0000734f313356fe in myrocks::Rdb_transaction_impl::prepare (this=0x734e88302b80, name="\000\000\000\000\000\000\000\001\030\000MySQLXidd\000\000\000\000\000\000\000\005\000\000\000\000\000\000")at /test/bb-12.2-nikita-global-tmp_opt/storage/rocksdb/ha_rocksdb.cc:3183
#1 0x0000734f31324690 in myrocks::rocksdb_prepare (thd=<optimized out>, prepare_tx=<optimized out>)at /test/bb-12.2-nikita-global-tmp_opt/storage/rocksdb/ha_rocksdb.cc:3924
#2 0x000063ec5250c621 in prepare_or_error (ht=ht@entry=0x734e8807c7c8, thd=thd@entry=0x734e88000c68, all=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/handler.cc:1508
#3 0x000063ec5250d51c in ha_commit_trans (thd=thd@entry=0x734e88000c68, all=false) at /test/bb-12.2-nikita-global-tmp_opt/sql/handler.cc:2007
#4 0x000063ec5293abba in trans_commit_stmt (thd=0x734e88000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/transaction.cc:498
#5 0x000063ec5279d7d3 in select_create::send_eof (this=0x734e88018f68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_insert.cc:5486
#6 0x000063ec5282bb8a in JOIN::exec_inner (this=this@entry=0x734e880190a8)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_select.cc:4968
#7 0x000063ec528113a7 in JOIN::exec (this=0x734e880190a8)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_select.cc:4874
#8 mysql_select (thd=thd@entry=0x734e88000c68, tables=<optimized out>, fields=@0x734e88018230: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x734e880184e0, last = 0x734e880184e0, elements = 1}, <No data fields>}, conds=<optimized out>, og_num=<optimized out>, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x734e88018f68, unit=0x734e88005090, select_lex=0x734e88017f78)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_select.cc:5402
#9 0x000063ec52811049 in handle_select (thd=thd@entry=0x734e88000c68, lex=lex@entry=0x734e88004fb0, result=result@entry=0x734e88018f68, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_select.cc:634
#10 0x000063ec528b177c in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x734e88000c68)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_table.cc:13960
#11 0x000063ec527d6b7c in mysql_execute_command (thd=thd@entry=0x734e88000c68, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:5861
#12 0x000063ec527d1e24 in mysql_parse (thd=thd@entry=0x734e88000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x734f9c6b6420)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:7894
#13 0x000063ec527d05cd in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x734e88000c68, packet=packet@entry=0x734e88008a99 "CREATE TABLE t AS SELECT 0 QUERY", packet_length=packet_length@entry=32, blocking=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1882
#14 0x000063ec527d22a1 in do_command (thd=thd@entry=0x734e88000c68, blocking=true) at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_parse.cc:1421
#15 0x000063ec529284fd in do_handle_one_connection (connect=<optimized out>, connect@entry=0x63ec5558e678, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1414
#16 0x000063ec529282bf in handle_one_connection (arg=arg@entry=0x63ec5558e678)at /test/bb-12.2-nikita-global-tmp_opt/sql/sql_connect.cc:1326
#17 0x000063ec52aecd59 in pfs_spawn_thread (arg=0x63ec5553e588)at /test/bb-12.2-nikita-global-tmp_opt/storage/perfschema/pfs.cc:2198
#18 0x0000734f9f49ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#19 0x0000734f9f529c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, Clang 21.1.0-20250811) Build 16/09/2025
Core was generated by `/test/MDEV-35915_5_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd --no-d'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000078ebc66c8f79 in myrocks::Rdb_transaction_impl::prepare (this=0x78eafc2a4320, name=...)at /test/bb-12.2-nikita-global-tmp_dbg/storage/rocksdb/ha_rocksdb.cc:3183

[Current thread is 1 (LWP 2353305)]
(gdb) bt
#0 0x000078ebc66c8f79 in myrocks::Rdb_transaction_impl::prepare (this=0x78eafc2a4320, name="\000\000\000\000\000\000\000\001\030\000MySQLXidd\000\000\000\000\000\000\000\005\000\000\000\000\000\000")at /test/bb-12.2-nikita-global-tmp_dbg/storage/rocksdb/ha_rocksdb.cc:3183
#1 0x000078ebc66a48f5 in myrocks::rocksdb_prepare (thd=0x78eafc000d58, prepare_tx=false)at /test/bb-12.2-nikita-global-tmp_dbg/storage/rocksdb/ha_rocksdb.cc:3924
#2 0x000059dd8c4050dd in prepare_or_error (ht=0x78eafc089708, thd=0x78eafc000d58, all=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/handler.cc:1508
#3 0x000059dd8c4066f2 in ha_commit_trans (thd=0x78eafc000d58, all=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/handler.cc:2007
#4 0x000059dd8ca5ab5d in trans_commit_stmt (thd=0x78eafc000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/transaction.cc:498
#5 0x000059dd8c7f97ce in select_create::send_eof (this=0x78eafc01b768)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_insert.cc:5486
#6 0x000059dd8c8d0180 in JOIN::exec_inner (this=0x78eafc01b8a8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_select.cc:4968
#7 0x000059dd8c8cfb69 in JOIN::exec (this=0x78eafc01b8a8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_select.cc:4874
#8 0x000059dd8c8adf93 in mysql_select (thd=0x78eafc000d58, tables=0x0, fields=@0x78eafc01aa30: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x78eafc01ace0, last = 0x78eafc01ace0, elements = 1}, <No data fields>}, conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2201187781376, result=0x78eafc01b768, unit=0x78eafc005158, select_lex=0x78eafc01a778)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_select.cc:5402
#9 0x000059dd8c8ada8d in handle_select (thd=0x78eafc000d58, lex=0x78eafc005078, result=0x78eafc01b768, setup_tables_done_option=0)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_select.cc:634
#10 0x000059dd8c98ac4a in Sql_cmd_create_table_like::execute (this=0x78eafc019fc0, thd=0x78eafc000d58)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_table.cc:13960
#11 0x000059dd8c857be5 in mysql_execute_command (thd=0x78eafc000d58, is_called_from_prepared_stmt=false)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:5861
#12 0x000059dd8c848ea8 in mysql_parse (thd=0x78eafc000d58, rawbuf=0x78eafc019f20 "CREATE TABLE t AS SELECT 0 QUERY", length=32, parser_state=0x78ec2c138a10)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:7894
#13 0x000059dd8c846689 in dispatch_command (command=COM_QUERY, thd=0x78eafc000d58, packet=0x78eafc00b299 "CREATE TABLE t AS SELECT 0 QUERY", packet_length=32, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1882
#14 0x000059dd8c84992a in do_command (thd=0x78eafc000d58, blocking=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_parse.cc:1421
#15 0x000059dd8ca3c1ce in do_handle_one_connection (connect=0x59dd8f45a088, put_in_cache=true)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1414
#16 0x000059dd8ca3bfb1 in handle_one_connection (arg=0x59dd8f4629e8)at /test/bb-12.2-nikita-global-tmp_dbg/sql/sql_connect.cc:1326
#17 0x000078ec2da9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#18 0x000078ec2db29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And UBSAN sees a null-pointer-use issue:

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Optimized, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025
/test/bb-12.2-nikita-global-tmp_opt_san/storage/rocksdb/ha_rocksdb.cc:3183:23: runtime error: member call on null pointer of type 'rocksdb::Transaction'
#0 0x7bf999eee056 in myrocks::Rdb_transaction_impl::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /test/bb-12.2-nikita-global-tmp_opt_san/storage/rocksdb/ha_rocksdb.cc:3183:23
#1 0x7bf999ebe438 in myrocks::rocksdb_prepare(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/storage/rocksdb/ha_rocksdb.cc:3924:16
#2 0x5ff08d01e63e in prepare_or_error(transaction_participant, THD, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:1508:12
#3 0x5ff08d0235ed in ha_commit_trans(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/handler.cc:2007:9
#4 0x5ff08e7c5af6 in trans_commit_stmt(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/transaction.cc:498:10
#5 0x5ff08de35ee0 in select_create::send_eof() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_insert.cc:5486:9
#6 0x5ff08e168d1a in JOIN::exec_inner() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:4968:30
#7 0x5ff08e16712a in JOIN::exec() /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:4874:8
#8 0x5ff08e0be23a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:5402:21
#9 0x5ff08e0bc235 in handle_select(THD, LEX, select_result*, unsigned long long) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_select.cc:634:10
#10 0x5ff08e4b19bd in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_table.cc:13960:20
#11 0x5ff08df53fff in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:5861:26
#12 0x5ff08df37705 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:7894:18
#13 0x5ff08df2f8c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1882:7
#14 0x5ff08df39640 in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_parse.cc:1421:17
#15 0x5ff08e76419c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1414:11
#16 0x5ff08e763cb6 in handle_one_connection /test/bb-12.2-nikita-global-tmp_opt_san/sql/sql_connect.cc:1326:5
#17 0x5ff08cf18d9a in asan_thread_start(void*) crtstuff.c
#18 0x7ffa8c09ca93 in start_thread nptl/pthread_create.c:447:8
#19 0x7ffa8c129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/bb-12.2-nikita-global-tmp_opt_san/storage/rocksdb/ha_rocksdb.cc:3183:23

MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025
/test/bb-12.2-nikita-global-tmp_dbg_san/storage/rocksdb/ha_rocksdb.cc:3183:23: runtime error: member call on null pointer of type 'rocksdb::Transaction'
#0 0x7355b4123550 in myrocks::Rdb_transaction_impl::prepare(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /test/bb-12.2-nikita-global-tmp_dbg_san/storage/rocksdb/ha_rocksdb.cc:3183:23
#1 0x7355b40f1da1 in myrocks::rocksdb_prepare(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/storage/rocksdb/ha_rocksdb.cc:3924:16
#2 0x652219570567 in prepare_or_error(transaction_participant, THD, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/handler.cc:1508:12
#3 0x652219577793 in ha_commit_trans(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/handler.cc:2007:9
#4 0x65221ad075bd in trans_commit_stmt(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/transaction.cc:498:10
#5 0x65221a3926ca in select_create::send_eof() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_insert.cc:5486:9
#6 0x65221a6c7a3c in JOIN::exec_inner() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:4968:30
#7 0x65221a6c4602 in JOIN::exec() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:4874:8
#8 0x65221a621464 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:5402:21
#9 0x65221a61fc90 in handle_select(THD, LEX, select_result*, unsigned long long) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_select.cc:634:10
#10 0x65221a9e9ea7 in Sql_cmd_create_table_like::execute(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_table.cc:13960:20
#11 0x65221a4b43c7 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5861:26
#12 0x65221a497518 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
#13 0x65221a490cdc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
#14 0x65221a49994a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
#15 0x65221ac9e81c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
#16 0x65221ac9e325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
#17 0x652219457d6a in asan_thread_start(void*) crtstuff.c
#18 0x7756a6a9ca93 in start_thread nptl/pthread_create.c:447:8
#19 0x7756a6b29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /test/bb-12.2-nikita-global-tmp_dbg_san/storage/rocksdb/ha_rocksdb.cc:3183:23

Attachments

Issue Links

is caused by

MDEV-35915 Implement Global temporary tables

In Testing

relates to

MDEV-29680 ASAN heap-use-after-free in myrocks::Rdb_transaction::on_commit upon CREATE OR REPLACE .. SELECT

Open

Activity

People

Assignee:: Nikita Malyavin

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-09-19 00:42

Updated:: 6 days ago 00:08

Resolved:: 2025-09-24 03:40

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.