Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
N/A
-
Not for Release Notes
-
Q4/2025 Server Maintenance
Description
CREATE GLOBAL TEMPORARY TABLE t (x INT) ON COMMIT PRESERVE ROWS; |
XA START 'a'; |
SELECT * FROM t; |
SET @@max_statement_time=0.00001; |
HANDLER t OPEN; |
LOAD INDEX INTO CACHE t KEY(PRIMARY); |
--error ER_XAER_RMFAIL
|
DROP TABLE t; |
HANDLER t OPEN; |
SELECT 1; |
Leads to:
|
MDEV-35915-5 CS 12.2.0 5a344faeb0bab8520ad5c92be6fc1fc0a9c56d52 (Debug, UBASAN, Clang 21.1.0-20250811) Build 16/09/2025 |
==1221425==ERROR: AddressSanitizer: heap-use-after-free on address 0x6c88ba82c670 at pc 0x6473fe8dd1e9 bp 0x6c07b4900050 sp 0x6c07b4900048
|
READ of size 8 at 0x6c88ba82c670 thread T13
|
#0 0x6473fe8dd1e8 in MDL_ticket::has_pending_conflicting_lock() const /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3676:10
|
#1 0x6473fdf3e295 in mysql_ha_flush(THD*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:1198:42
|
#2 0x6473fdbbbecc in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:4715:5
|
#3 0x6473fdbce191 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.cc:5779:7
|
#4 0x6473fd697fb4 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_base.h:544:10
|
#5 0x6473fe0ce503 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:6092:14
|
#6 0x6473fe0b9e78 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:3954:12
|
#7 0x6473fe093518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
|
#8 0x6473fe08ccdc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
|
#9 0x6473fe09594a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
|
#10 0x6473fe89a81c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
|
#11 0x6473fe89a325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
|
#12 0x6473fd053d6a in asan_thread_start(void*) crtstuff.c
|
#13 0x7008bba9ca93 in start_thread nptl/pthread_create.c:447:8
|
#14 0x7008bbb29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x6c88ba82c670 is located 80 bytes inside of 96-byte region [0x6c88ba82c620,0x6c88ba82c680)
|
freed by thread T13 here:
|
#0 0x6473fd09b2f6 in operator delete(void*, unsigned long) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdd2f6) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
|
#1 0x6473fdf34b8d in mysql_ha_close_table(SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:231:22
|
#2 0x6473fdf3d5c5 in mysql_ha_rm_tables(THD*, TABLE_LIST*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:1123:7
|
#3 0x6473fe0ad62d in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:3807:5
|
#4 0x6473fe093518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
|
#5 0x6473fe08ccdc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
|
#6 0x6473fe09594a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
|
#7 0x6473fe89a81c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
|
#8 0x6473fe89a325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
|
#9 0x6473fd053d6a in asan_thread_start(void*) crtstuff.c
|
|
|
previously allocated by thread T13 here:
|
#0 0x6473fd09a8b1 in operator new(unsigned long, std::nothrow_t const&) (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3bdc8b1) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
|
#1 0x6473fe8d628f in MDL_context::clone_ticket(MDL_request*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:2798:17
|
#2 0x6473fdf30e74 in mysql_ha_open(THD*, TABLE_LIST*, SQL_HANDLER*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_handler.cc:372:29
|
#3 0x6473fe0b1af5 in mysql_execute_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:5447:10
|
#4 0x6473fe093518 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:7894:18
|
#5 0x6473fe08ccdc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1882:7
|
#6 0x6473fe09594a in do_command(THD*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_parse.cc:1421:17
|
#7 0x6473fe89a81c in do_handle_one_connection(CONNECT*, bool) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1414:11
|
#8 0x6473fe89a325 in handle_one_connection /test/bb-12.2-nikita-global-tmp_dbg_san/sql/sql_connect.cc:1326:5
|
#9 0x6473fd053d6a in asan_thread_start(void*) crtstuff.c
|
|
|
Thread T13 created by T0 here:
|
#0 0x6473fd03a465 in pthread_create (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3b7c465) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
|
#1 0x6473fd0addbc in create_thread_to_handle_connection(CONNECT*) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6272:19
|
#2 0x6473fd0aee45 in handle_connections_sockets() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6508:9
|
#3 0x6473fd0ad3ca in run_main_loop() /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:5750:3
|
#4 0x6473fd0a2d7e in mysqld_main(int, char**) /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mysqld.cc:6173:3
|
#5 0x7008bba2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x7008bba2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x6473fcfb0d74 in _start (/test/MDEV-35915_5_UBASAN_MD160925-mariadb-12.2.0-linux-x86_64-dbg/bin/mariadbd+0x3af2d74) (BuildId: 875724b5ebbe978ad95c25535971436c9dc343ab)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/bb-12.2-nikita-global-tmp_dbg_san/sql/mdl.cc:3676:10 in MDL_ticket::has_pending_conflicting_lock() const
|
Shadow bytes around the buggy address:
|
0x6c88ba82c380: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x6c88ba82c400: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x6c88ba82c480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
|
0x6c88ba82c500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
|
0x6c88ba82c580: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x6c88ba82c600: fa fa fa fa fd fd fd fd fd fd fd fd fd fd[fd]fd
|
0x6c88ba82c680: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
|
0x6c88ba82c700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6c88ba82c780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6c88ba82c800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x6c88ba82c880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1221425==ABORTING
|
Only ASAN debug builds are affected. MyISAM and InnoDB affected.
Attachments
Issue Links
- is caused by
-
MDEV-35915 Implement Global temporary tables
-
- In Testing
-